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Smarter  technology  for  a  Smarter  Planet: 

What  3  million  lines  of  code  means 
to  a  piece  of  luggage. 

It  means  Amsterdam  Airport  Schiphol  will  be  able  to  accurately  and  efficiently  move  70  million  pieces  of  luggage  per 
year— 20  million  more  bags  per  year  than  they  used  to.  The  airport's  automated  baggage  solution  will  allow  them 
to  increase  their  baggage  handling  capacity  by  40%,  so  they  can  meet  the  growing  demand  placed  on  them  as 
one  of  Europe’s  largest  transport  hubs.  This  system  is  built  on  IBM  Rational®  and  Tivoli®  software  and  runs  on 
Power  Systems™  A  smarter  business  is  built  on  smarter  software,  systems  and  services. 


Let’s  build  a  smarter  planet,  ibm.com/luggage 
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A  data  visualization  of  the  flow  of  baggage 
traffic  at  Amsterdam  Airport  Schiphol. 


IBM.  the  IBM  logo,  ibm.com,  Power  Systems,  Rational,  Tivoli,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp,  registered  in  many  jurisdictions  worldwide.  Other  product  and 
service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytradeshtml.  ©  International  Business  Machines  Corporation  2010. 
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[  FROM  THE  EDITOR] 


The  Retail 
Paradox 

Don’t  look  now,  but  the  industry  that 
often  lags  in  infosecurity  is  setting  the 
pace  in  providing  business  intelligence. 
In  the  IT  world,  the  retail  industry 
is  not  widely  regarded  as  a  cutting-edge  place 
to  work.  Margins  are  notoriously  slim,  which 
means  investment  in  experimental  technolo¬ 
gies  is  frowned  upon.  At  most  companies  in 
the  retail  industry,  you  have  to  be  quite  sure  of 
the  ROI  when  you  pitch  a  new  project. 

Of  course,  there  are  exceptions.  Nonethe¬ 
less,  I  stand  by  my  generalization. 

The  reason  PCI  DSS  exists  is  that  too  many 
retailers  were  unwilling  to  spend  the  money 
for  good  infosecurity.  A  friend  who  did  IT  work 
at  a  major  retailer  wasn’t  surprised  at  all 
when  that  company  suffered  a  notorious  data 
breach,  saying  the  company  seemed  to  think 
of  any  technology  more  advanced  than  dial-up 
Internet  access  as  a  wasteful  extravagance. 

So  it’s  funny  that  retail  is  leading  the  pack 
in  an  important  way.  Retailers  get  the  idea 
of  using  security  systems  as  business-intelli¬ 
gence  sensors. 

Former  CSO  Executive  Editor  Scott 
Berinato  chronicled  early  developments  in 
retail  video  intelligence  back  in  January  2005 
(you  can  find  the  piece  at  www.csoonline.com/ 
article/219967;  it’s  quite  prescient).  Even  back 
then,  retailers  were  starting  to  use  security 
systems  to  look  at  things  like  how  store  layout 
affected  foot  traffic  and  sales. 

In  this  Editor’s  Letter  space  in  April  2007, 
l  wrote  about  “the  age  of  analytics,”  not¬ 
ing  that  we’ve  entered  an  era  with  enough 
cheap  computing  horsepower  and  advanced 
analytical  capabilities  to  not  only  improve 
security  but  also  its  ROI  ( www.csoonline.com/ 
article/221188). 

Then  in  June  of  last  year  I  wrote  the  article 
“Next  Stop  for  Security:  Business  Intelligence 
and  Business  Services,"  again  emphasizing 


the  use  of  security  systems,  expertise  and 
processes  to  serve  the  greater  organizational 
goals  in  new  ways  ( www.csoonline.com/article/ 
494878). 

The  fact  that  retail  has  helped  lead  the 
charge  in  this  respect  was  crystallized  again 
for  me  at  two  recent  events.  Roland  Cloutier 
made  the  point  from  the  stage  at  our  Security 
Standard  event  in  September-mind  you,  this 
is  a  CSO  with  experience  at  companies  in  both 
high  tech  and  the  financial  industries.  And 
again  retail  came  up  as  the  flag-bearer  in 
several  conversations  I  had  at  the  ASIS  show  in 
Dallas  last  month-one  with  video  storage  pro¬ 
vider  Pivots  (very  interesting),  and  the  other 
with  Cisco,  which,  to  my  eye,  looks  to  have  fully 


integrated  its  2006  acquisition  of  SyPixx  into 
a  compelling  “Smart+Connected  Communities” 
program. 

So  hats  off  to  our  colleagues  in  the  retail 
industry.  On  the  traditional  corporate-physical 
security  side,  they’ve  taken  their  industry’s 
laser-like  focus  on  pinching  pennies  and  made 
the  most  of  its  virtues,  demonstrating  in  con¬ 
crete  ways  that  security  is  a  business  function 
and  an  enabler  of  business  goals. 

Now  about  PCI  compliance... 

-Derek  Slater,  dslater@cxo.com 
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Defend  your 
mobile  life. 


SAMSUNG 


Security  Settings 
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scan  for  viruses 
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Introducing  Junos®  Pulse  Mobile  Security  Suite. 

The  world  has  gone  mobile.  But  along  with  all  of  that 
mobility  comes  a  diverse  set  of  mobile  security  needs. 
From  remote  wipe  and  lock  to  anti-spam,  anti-virus 
and  anti-malware  to  parental  controls  and  SSL/VPN, 
Junos®  Pulse  Mobile  Security  Suite  delivers  an  incredible 
array  of  security  features,  compatible  with  every  major 
mobile  platform.  It’s  your  mobile  life,  defended. 


Junos"  Pulse 

Mobile  Security  Suite 


juniper.net/puise 
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[  FROM  THE  PUBLISHER  ] 


Taking  Security 
Seriously 

The  dichotomies  of  business  intrigue  me. 
How,  on  one  hand,  can  we  see  the  role 
of  the  CSO  become  increasingly  aligned 
with  the  business,  resulting  in  elevating 
the  CSO  in  the  reporting  structure  to  a  senior- 
management  position,  while  on  the  other 
hand,  we  see  some  businesses  just  don’t  really 
“get”  security  at  all?  It  makes  me  wonder 
what’s  going  on  out  there. 

Last  month  in  CSO,  Bill  Brenner  showcased 
the  results  of  the  2011  Global  State  of  Informa¬ 
tion  Security  Survey,  the  annual  report  we 
conduct  with  PricewaterhouseCoopers  and 
CIO  magazine.  Among  the  more  interesting 
findings  was  that  the  requirements  of  clients 
are  becoming  a  major  justification  for  security 
investment  at  organizations  of  all  sizes.  These 
client  demands  are  a  natural  evolution  of  the 
50-page  tell-me-about-your-security  question¬ 
naire  that  many  of  you  receive  from  or  require 
of  your  partners.  Security  is  becoming  a 
business-enabling,  customer-focused  arm  of 
the  business,  and  failing  to  have  good  security 
measures  and  practices  in  place  limits  your 
organization’s  ability  to  successfully  engage 
partners  and  drive  new  business. 

Here’s  one  example:  I  spent  some  time 
this  month  with  an  attorney  friend  of  mine 
who  specializes  in  information  security  law. 
One  of  his  clients  was  looking  to  move  some 
of  its  services  out  to  the  public  cloud.  After 
evaluating  possible  cloud  service  providers, 
they  narrowed  the  field  of  vendors  down  to 
two:  a  large,  familiar  cloud  provider,  and  a 
smaller  upstart.  As  part  of  the  final  evaluation 
process,  the  client  asked  the  providers  about 
the  security  of  their  infrastructure.  The  large 
cloud  service  provider  said  not  to  worry  about 
it,  the  company  takes  security  very  seriously. 
The  client  asked  to  speak  with  the  vendor’s 
CSO  or  CISO  and  was  told  that  there  was  no 
such  position  at  the  company. 


The  smaller  cloud  service  provider,  on  the 
other  hand,  responded  that,  yes,  it  too  takes 
security  very  seriously,  and  would  be  happy  to 
bring  in  its  CISO  for  a  debriefing.  The  smaller 
firm  said  it  understands  how  important  secu¬ 
rity  is  and  was  able  to  back  up  its  statements. 
The  second  company,  though  slightly  more 
expensive,  got  the  business.  It  took  security 
seriously. 

Businesses  need  to  understand  that  good 
security  is  a  business  benefit.  Many  already  do. 
Some  still  do  not.  In  this  age  in  which  we  are 
all  connected  to  our  partners,  suppliers  and 
customers,  “getting”  security  is  a  requirement 
for  staying  competitive.  Those  businesses  that 
understand  this  can  turn  it  into  a  competitive 
advantage.  If  you  have  not  done  so  already, 

I  urge  you  to  set  a  up  meeting  with  your  VP 


of  sales  or  COO  and  teach  her  about  how 
seriously  your  organization  takes  security.  Go 
beyond  the  fact  that  you  may  be  SAS  70  or  PCI 
compliant.  Give  her  the  tools  that  will  help  her 
sell  what  your  business  does.  Doing  so  will  only 
increase  the  understanding  in  your  company 
that  security  is  a  business  driver,  not  a  cost 
drain. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


ASSA  ABLOY . 35 

3M . 5 

BeyondTrust . 7 

CA . C4 


CSO . 21,23 

HIDCorp . 13 

IBM  Corp . C2,  9 

Juniper  Networks,  Inc . 3 

PhoneFactor . C3 


RSA  Conference  2011 . 15 

Security  Executive  Council ....  17 


Trend  Micro,  Inc. . 10 

University  of  Maryland 
University  College . 19 


Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 

Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 
Sales  Associate 

Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
VP,  Online  Sales 
Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 

Jennifer  Malkasian,  Elise  Ryan, 

Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Tom  Grimshaw,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 

Ellen  Daly 

Vice  President,  Event  Marketing 

Michael  Garity 

Sr.  Director,  Event  Operations 
Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 

Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeski@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
cso@theygsgroup.com 


4  www.csoonline.com  November  2010 


Photo  by  Christopher  Navin 


Last  year,  the  average 
data  security  breach  cost 
$6.75  Million. 


And  you  just  know  that 
Cynthia  from  finance  can’t  wait 
to  blow  the  curve. 


3M™  Privacy  Filters 


Peace  of  mind  in  high  traffic  areas  has  taken  an  unexpected  form.  Precision-fitted  3M  Privacy  Filters  offer  a  crisp,  clear  view  of  your  laptop  screen  when 
observed  from  straight  on- — while  blocking  wandering  eyes  from  treading  on  your  confidential  information.  So  you  can  focus  squarely  on  your  work. 
Who  knew  preventing  data  breaches  could  be  so  elementary? 


3M  is  your  solution  for  privacy  on  every  screen.  For  more  information  on  3M  Privacy  Computer  Filters 
and  3M  Mobile  Privacy  Films,  visit  www.3MPrivacyFilter.com/Business  or  call  800-553-9215. 
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What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

What’s  Next 
For  IT  Security? 
Post- PC  Devices 

This  year,  the  number  of  post- 
PC  devices,  such  as  tablets, 
e-readers,  and  Internet-capa¬ 
ble  mobile  phones,  will  eclipse 
PC  devices,  such  as  desktops, 
laptops  and  netbooks.  I  heard  a  story  earlier 
this  week  about  a  CEO  who  went  to  a  board 
meeting  and  felt  a  little  cranky  because  he 
was  the  only  person  there  without  an  iPad. 

The  invasion  of  nontraditional  comput¬ 
ing  devices  into  the  business  sphere  is  a  big 
deal  for  security  and  risk  professionals.  It 
changes  the  perception  of  what  computing 
is  and  creates  what  my  colleague  Jeff  Ham¬ 
mond  calls  “the  mess  of  many.”  And  when 
it  comes  to  security,  the  changes  are  even 
more  profound.  Not  only  are  these  devices 
smaller  and  more  personal,  but  they  are 
more  likely  to  be  lost  or  stolen.  And  as  your 
favorite  security  vendors  have  been  point¬ 
ing  out,  they  just  might  be  riskier  too. 

At  Forrester,  we  have  a  slightly  differ¬ 
ent  take  than  the  security  vendors.  Post-PC 
devices  aren’t  like  general-purpose  PCs. 
They  don’t  run  general-purpose  operating 
systems,  and  they  have  distinct  security 
characteristics  that  make  them  more  risky 
in  some  ways,  but  less  risky  in  others. 

If  you  are  trying  to  make  sense  of  all  this, 
as  your  IT  staff  struggles  to  field  increas¬ 
ingly  loud  requests  to  connect  every  imag¬ 
inable  device  to  your  network,  you  aren’t 
alone.  Trying  to  navigate  the  post-PC  era  is 
a  hugely  popular  topic  with  our  enterprise 


clients  right  now.  But  fortunately, 
we  also  have  a  report  that  tells  you 
What  It  Means.  Introducing  my  new 
report,  “Security  in  the  Post-PC  Era:  Con¬ 
trolled  Chaos.”  From  the  abstract: 

“The  surge  in  post-PC  devices  that  do 
less  but  do  it  in  more  places  means  that 
security  and  risk  (S&R)  professionals  no 
longer  have  the  authority  to  veto  the  use 
of  mobile  devices  or  limit  use  to  a  spe¬ 
cific  brand.  But  these  devices  increase  the 
risks  enterprises  face,  with  the  prospect  of 
increased  theft  and  rogue  apps  and  ques¬ 
tions  about  data  ownership.  On  the  other 
hand,  post-PC  devices  are  safer  to  use  than 
traditional  PCs  and  require  less  security 
aftermarket  products  as  a  result.  S&R  pro¬ 
fessionals  should  aim  to  bring  a  measure  of 


control  to  an  increasingly 
chaotic  environment  but 
not  stifle  employee  flex¬ 
ibility  and  innovation.  To 
be  successful,  enterprises 
must  let  device  capabilities,  not 
brands,  drive  support  decisions;  build  a 
multidevice  management  infrastructure; 
set  up  a  company  app  store;  and  use  thin 
clients  to  keep  sensitive  data  off  of  endpoint 
devices.” 

I’d  love  to  hear  what  you  think  about 
this  report.  While  you’re  at  it,  check  out 
the  vibrant  discussion  S&R  pros  have 
been  having  on  the  Forrester  Community 
site:  http://community.forrester.com/message/ 
8620*8620.  And  if  you’d  like  to  know  just 
what  your  users  think  about  all  this,  see  the 
Community  discussion  on  consumeriza- 
tion  from  the  end-user’s  perspective:  http:// 
community. forrester.eom/message/6110#61lo. 

—Andrew  Jaquith 
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People  need  boundaries, 
not  walls. 


In  the  world  of  Web  2.0,  you  cannot  safely  distribute  full 
admin  rights  on  desktops  or  root  passwords  on  servers. 

So  how  do  you  protect  against  misuse  of  privileges, 
whether  intentional,  accidental  or  indirect,  without  stifling 
productivity?  By  allowing  specific  applications,  tasks  and 
commands.  BeyondTrust  makes  it  simple.  Transparently 
brokering  permissions  from  a  central  console,  it  enables 
users  to  work  without  interference,  and  provides  detailed 
privileged  access  logging,  key  logs,  and  audit  trails. 

So  don't  think  you  have  to  choose  between  security 
and  productivity,  or  risk  non-compliance. 


^  Delegate  privileges  with  certainty  and  clarity. . . 
*  with  BeyondTrust. 
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BLOG  POST 

Marketing 
Associations 
Launch  Self- 
Regulatory 
Scheme  for 
Online  Data 
Collection 

Early  in  October,  leading  mar¬ 
keting  associations  made  avail¬ 
able  a  self-regulatory  scheme 
for  businesses  that  collect 
information  about  consumer 
interactions  with  websites  for  advertising 
purposes  ( http://www.aboutads.info/ ).  The 
scheme  aims  to  bring  order  to  the  chaos  that 
currently  exists  in  online  data  collection.  It 
is  also  an  attempt  to  avoid  further  direct 
regulation  by  state  and  federal  lawmakers. 

The  program  is  designed  to  provide  con¬ 
sumers  with  better  and  more  easily  identifi¬ 
able  notice  of  when  data  is  being  collected 
and  a  means  to  opt-out.  Whether  the  pro¬ 
gram  will  be  widely  adopted  and  achieve 
its  goals  will  not  be  known  for  some  time. 
What  is  known  is  that  if  a  business  elects 
to  implement  the  program  and  then  fails  to 
comply  with  its  requirements,  it  could  be 
found  in  violation  of  Section  5  of  the  FTC 
Act,  which  prohibits  “unfair  and  deceptive” 
trade  practices.  This  is  the  same  exposure 
businesses  have  faced  for  many  years  now 
when  they  publish  privacy  policies  and 
statements  about  their  security  only  to  run 
afoul  of  their  own  requirements.  The  bot¬ 
tom  line  is,  look  before  you  leap.  Businesses 


that  elect  to  participate  in  the  program  must 
implement  means  to  ensure  they  comply. 
Failure  to  do  so  could  expose  them  to  state 
and  federal  liability. 

—Michael  Overly 

BLOG  POST 

Quantum 
Computing  and 
Data  Protection 

A  good  (and  short)  article  on 
quantum  computing  with 
references  to  other  articles 
about  the  rapid  pace  of 
advances  can  be  found  here: 
www.thenewnewinternet.com/2010/09/2i/ 
quantum-technology -pave-way-for-f aster 
-than-light-computing/ . 

The  article  mentions  that  U.S.  defense 
and  intelligence  agencies  see  quantum  com¬ 
puting  as  the  foundation  for  the  IT  industry 
in  the  mid- 21st  century,  and  that  they  are 
concerned  with  national  security  issues. 
Why?  Because  a  programmable  quantum 
computer  renders  the  two  mainstream 
public-key  crypto  systems  useless.  Both 
RSA  and  ECC  (elliptic  curve  cryptography) 
algorithms  would  be  cracked  and  unable  to 
protect  any  data,  period. 

The  National  Institute  of  Standards 
and  Technology,  the  University  of  Bristol, 
Google,  and  others  are  spending  hundreds 
of  millions  of  dollars  researching  quantum 
computing,  and  the  intelligence  community 
is  researching  post-quantum  cryptography 
to  try  to  head  off  the  looming  threat. 

What  was  once  viewed  as  science  fiction 
and  decades  away  is  fast  approaching— 
maybe  just  several  years  away.  And  you 
thought  moving  to  RSA  2048  was  painful? 
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Better  start  looking  for  other  public-key 
crypto  systems.  And,  by  the  way,  some  of 
the  lattice-based  crypto  systems  are  orders 
of  magnitude  faster  than  RSA  today— long¬ 
term  security  and  performance  improve¬ 
ments...  there’s  a  winner!  —Ed  Adams 


MORE  ON  THE  WEB 

Join  the  CSO  Forum  on  Linkedln 

The  CSO  Forum  is  the  best  place  to  share  expertise  with  peers-top  leaders  in  digital 
and  physical  security,  business  continuity,  fraud  prevention  and  other  operational 
risk  areas.  Members  get  advance  access  to  research,  event  discounts  and  more. 

To  find  us,  search  Linkedln’s  groups  for  the  CSO  Forum. 


8  www.csoonline.com  November  2010 


The  new 
industry 

standard. 

Up  until  now,  many  companies  have  settled  for  x86  performance  with  the  mistaken  belief 
that  more  power  equals  more  money.  That  equation  has  changed.  Today,  a  comparable 
workload  on  IBM  Power®  730  Express  systems  can  be  as  much  as  37%  less  expensive 
than  on  HP  ProLiant  DL380  G7  systems'.  And  we  haven’t  compromised  performance 
to  reach  that  price  point.  Power  Systems"'  are  designed  to  enable  you  to  optimize 
hundreds  of  workloads  on  a  single  system,  drive  up  to  90%  utilization  and  reduce  energy 
costs  by  up  to  80%  when  consolidating  servers.  Can  systems  be  built  to  do  more  for  less? 

On  a  smarter  planet  they  can.  ibm.com/power7 

Smarter  systems  for  a  Smarter  Planet. 
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1.  Comparison  based  on  performance  and  virtuali/ation  advantage  of  two  IBM  Power  730  Express  systems  with  equivalent  throughput  of  five  virtualized  HP  ProLiant  DL380  G7  systems  and  takas  into  acccffm.the 
cost  of  the  systems,  operating  system,  virtualization  and  middleware  software  and  software  support  for  3  years.  Comparison  is  based  on  performance  and -utilization  characteristics  id  a  virtualized  environment  •.  Actual  ' 
performance,  system  and  software  savings  and  environmental  cost  savings  will  vary  depending  on  client  actual  implementation.  Contact  IBM  to  see  what  we  can  do  tor  you.  For  more  iriformatibn,, visit  v/wwbmrcim/ 
powetf/claims.  IBM,  the  IBM  logo,  ibm.com.  Power,  Power  Systems,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp,  registered  in  many  jurisdiotfbns  worldwide  Ojhor  -ptodirey  / 
and  service  names  might  be  trademarks  of  IBM  or  ottier  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtmf  ©  International  Business  Machines  Corporation  3fPfi  f 
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Technology  innovation  Spurs 
a  Fresh  Look  at  Security 


When  it  comes  to  technology  innovation- 
such  as  mobility  and  the  cloud— a  whole  new 
security  architecture  is  in  order,  says  Trend 
Micro’s  Steve  Quane. 

what  security  threats  are  keeping  your 
customers  awake  at  night? 

Obviously,  the  sheer  volume  of  attacks  is  a 
huge  problem.  In  fact,  Trend  Micro  has  seen 
attacks  increase  from  one  every  couple  of 
days  to  one  every  three  seconds.  How  that 
manifests  for  our  customers  is  in  complexity, 
because  they  have  to  determine  how  to  keep 
their  environment  current  and  control  all  the 
holes.  At  the  same  time,  some  highly  visible 
and  successful  attacks  have  raised  issues  about 
data  protection.  CISOs  now  recognize  that 
attacks  target  data,  not  computers— and  that 
concern  dominates  their  thinking. 

How  is  technology  evolution  affecting 
security  today? 

Two  huge  changes  in  the  use  of  technol¬ 
ogy  are  affecting  security.  First,  mobility  has 
become  a  reality.  With  innovations  such  as 
iPads,  Androids  and  multidevice  comput¬ 
ing,  data  and  computing  are  being  spread  all 
over  the  place.  Second,  as  end  users  are  going 
mobile,  data  centers  are  going  virtual.  The 
cost  benefits  have  clearly  proven  advanta¬ 
geous,  but  virtualization  requires  an  entirely 
new  security  architecture.  These  two  changes 
will  ultimately  meet  in  the  cloud,  and  many 
CISOs  don’t  necessarily  see  a  clear  way  to  deal 
with  it  all. 

How  are  conscientious  CISOs  tackling 
the  challenge? 

Most  CISOs  are  asking  some  really  big  ques¬ 
tions  they  haven't  had  to  ask  in  a  while,  start¬ 
ing  with  “Do  I  need  to  rethink  and  rearchitect 
my  security  strategy?”  More-progressive 
CISOs  fully  acknowledge  that  need.  They 
recognize  that  deploying  their  traditional 
antivirus  strategy  across  virtual  machines 
may  result  in  performance  issues  when  all 
those  products  start  scanning  at  the  same 
time.  They  understand  that  leaving  dormant 
machines  unpatched  and  out  of  date  for  three 


months  can  allow  rogue  machines  to  infect 
the  infrastructure  when  they  are  reactivated. 
And,  more  importantly,  they  realize  that 
moving  to  the  cloud  means  that  they  have  to 
consider  how  a  considerable  gain  in  cost  and 
performance  benefits  can  lead  to  an  equally 
significant  trade-off  in  data  protection. 

What  are  the  core  elements  of  an  effective 
cloud  security  strategy? 

The  first  is  a  psychological  step:  CISOs  need 
to  realize  that  a  new  security  architecture  is 
indeed  necessary  for  mobility,  virtualization 
and  ultimately  the  cloud,  to  take  into  account 
that  CISOs  must  devise  a  specific  security 
strategy  for  virtualization  with  new  manage¬ 
ment  and  security  practices.  For  example,  the 
traditional  perimeter-based  (or  “outside-in”) 
security  model  isn’t  enough.  What’s  needed, 
rather,  is  more  of  an  “inside-out”  strategy 
in  which  the  security  perimeter  starts  at  the 
virtual  machine  and  moves  outward,  rather 
than  starting  at  the  data  center  perimeter  and 
moving  inward.  Our  Deep  Security  solution 
builds  a  perimeter  around  a  virtual  machine 
that  travels  with  the  workload. 

Next,  CISOs  need  data  security  solutions  that 
are  workload-based.  Here,  emerging  technolo¬ 
gies  such  as  SecureCloud  can  clean  a  machine 
and  encrypt  all  the  data  that  comes  out  of  it, 
giving  IT  operations  the  freedom  to  store  that 
data  with  confidence  anywhere,  including  pri¬ 
vate  or  public  clouds.  Tying  all  these  elements 
together  with  a  virtualization-specific  security 
strategy  is  critical— although  quite  a  departure 
from  the  old  approach. 

Are  TCO  gains  lost  when  new  security  is 
added  to  the  mix? 

Clearly,  mobility  and  the  cloud  have  very  sig¬ 
nificant  TCO  implications.  And,  of  course,  se¬ 
curity  and  management  do  put  cost  back  into 
the  equation.  But  if  they  do  it  correctly,  CISOs 
can  still  realize  multiple  savings  by  moving 
to  a  cloud-based  security  model,  building  a 
security  architecture  that  is  optimized  for  a 
virtual  environment  and  approaching  data 
protection  in  a  more  efficient  manner. 


Edited  by  Bill  Brenner 


Stuxnet: 

The  New  Face 
of  Warfare? 

This  crafty  piece  of  malware 
may  be  the  weapon  we’ve 
been  warned  about 

A  highly  sophisticated  computer  worm 
that  has  spread  through  Iran,  Indone¬ 
sia  and  India  may  have  been  built  to 
destroy  operations  at  one  target:  Iran’s 
Bushehr  nuclear  reactor.  That’s  the  emerg¬ 
ing  consensus  of  security  experts  who  have 
examined  the  Stuxnet  worm. 

In  recent  weeks,  they’ve  broken  the  cryp¬ 
tographic  code  behind  the  software  and  taken 
a  look  at  how  the  worm  operates  in  test  envi¬ 
ronments.  Researchers  studying  it  all  agree 
that  Stuxnet  was  built  by  a  very  sophisticated 
and  capable  attacker-possibly  a  nation-state- 
and  it  was  designed  to  destroy  something  big. 

Though  it  was  first  developed  more  than  a 
year  ago,  Stuxnet  was  discovered  in  July  2010, 
when  a  Belarus-based  security  company  found 
it  on  computers  belonging  to  an  Iranian  client. 
Since  then,  it  has  been  the  subject  of  ongoing 
study  by  security  researchers  who  say 
they’ve  never  seen  anything 
like  it. 

Now,  after  months  of 
private  speculation,  some  of  the 
researchers  who  know  Stuxnet 
best  say  it  may  have  been  built 
to  sabotage  Iran’s  nukes. 

Ralph  Langner,  a  well-respected  expert 
on  industrial-systems  security  and  Siemens 
software,  published  an  analysis  of  the  worm 
and  suggests  that  it  may  have  been  used  to 
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Threat 


sabotage  Iran’s  Bushehr  nuclear  reactor.  Lang¬ 
ner  simulated  a  Siemens  industrial  network, 
which  Stuxnet  is  designed  to  target,  and  then 
analyzed  the  worm's  attack. 

Experts  thought  at  first  that  Stuxnet  was 
written  to  steal  industrial  secrets-factory  for¬ 
mulas  that  could  be  used  to  build  counterfeit 
products.  But  Langner  found  something  quite 
different.  The  worm  actually  looks  for  very 
specific  Siemens  settings-a  kind  of  fingerprint 
that  tells  it  that  it  has  been  installed  on  a 
certain  type  of  Programmable  Logic  Controller 
device-and  then  it  injects  its  own  code  into 
that  system. 

Because  of  the  complexity  of  the  attack, 
the  target  “must  be  of  extremely  high  value 
to  the  attacker,”  Langner  wrote  in  his 
analysis. 

Langner  thinks  it’s  pos¬ 
sible  Bushehr  may  have  been 
infected  through  the  Russian 
contractor  now  building  the 
facility,  JSC  Atomstroyexport. 

Recently,  the  company’s  website 
was  hacked,  and  some  of  its  webpages  are  still 
blocked  by  security  vendors  because  they  are 
known  to  host  malware. 

This  is  not  an  auspicious  sign  for  a 


company  handling  nuclear 
secrets. 

Tofino  Security  CTO 
Eric  Byres  is  an  industrial- 
systems  security  expert  who 
has  tracked  Stuxnet  since  it 
was  discovered.  Initially  he 
thought  it  was  designed  for 
espionage,  but  after  reading 
Langner’s  analysis,  he’s 
changed  his  mind.  “I  guessed 
wrong,  I  really  did,”  he  says. 
“After  looking  at  the  code  that 
Ralph  hauled  out  of  this  thing, 

he’s  right  on.” 

One  of  the  things  that  Langner  discov¬ 
ered  is  that  when  Stuxnet  finally  identifies  its 
target,  it  makes  changes  to  a  piece  of  Siemens 
code  called  Organizational  Block  35.  This 
Siemens  component  monitors  critical  factory 
operations-things  that  require  a  response 
within  100  milliseconds.  By  messing  with 
Operational  Block  35,  Stuxnet  could  easily 
cause  a  refinery’s  centrifuge  to  malfunction, 
and  it  could  be  used  to  hit  other  targets  too, 
Byres  says.  “The  only  thing  I  can  say  is  that  it  is 
something  designed  to  go  bang,”  he  says. 

Whoever  created  Stuxnet  developed 
four  previously  unknown  zero-day  attacks 
and  a  peer-to-peer  communications  system, 
compromised  digital  certificates  belonging  to 
Realtek  Semiconductor  and  JMicron  Technol¬ 
ogy,  and  displayed  extensive  knowledge  of 
industrial  systems.  This  is  not  something  that 
your  run-of-the-mill  hacker  can  pull  off.  Many 
security  researchers  think  that  it  would  take 
the  resources  of  a  nation-state  to  accomplish. 

To  military  hawks  in  the  West,  malware 
that  can  shut  down  Iran’s  infrastructure  is  all 
well  and  good.  The  problem  is  that  sooner  or 
later,  the  West  may  find  itself  the  target  of 
something  similar.  - Robert  McMillan 
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FINANCIAL  CRIME 

New  Adventures  in  Money  Laundering 


The  bad  guys  will  always  use  the 
latest  technology  to  launder 
money  and  avoid  detection.  What 
are  they  using  now  and  what 
should  businesses  look  out  for? 

evin  Sullivan  has  a  philosophy  that 
has  carried  him  through  his  two-plus 
decades  in  security  and  law  enforce¬ 
ment:  All  crimes,  whether  they  are  digi¬ 
tal  or  physical,  are  joined  at  the  hip.  A  former 
FBI  investigator  who  cut  his  teeth  on  financial 
crimes,  Sullivan  found  that  most  fraud  can  be 
traced  back  to  some  kind  of  organized  group. 
This  is  particularly  true  for  money  laundering. 

Money  laundering  is  the  act  of  making 
illegally  obtained  funds  appear  to  have  come 
from  a  legitimate  source.  The  criminal  must 
figure  out  a  way  to  make  the  cash  appear 
legitimate  so  as  not  to  alert  the  authorities  to 
his  real  occupation  and  the  actual  source  of 
the  income. 

“Money  that  is  laundered  is  money  that 
taxes  would  have  been  paid  on  if  things  were 
done  legitimately,”  he  said.  “It's  money  that 
enables  drug  lords  to  buy  new  guns  and  new 
bullets  to  kill  more  people.  There  are  a  lot  of 
bad  things  connected  to  it.  People  think  it’s 
just  a  nonviolent  crime,  but  there  is  actu¬ 
ally  a  lot  of  violence  that  can  go  on  to  get 
that  money.  By  allowing  criminals  to  launder 
money,  it  allows  them  to  continue  what  they 
are  doing.” 

Sullivan,  who  is  retired  from  law  enforce¬ 


ment,  is  now  owner  and  director  of  the 
Anti-Money  Laundering  Training  Academy,  a 
consultancy  and  education  organization  that 
counsels  businesses  about  money-laundering 
programs.  By  law,  every  U.S.  financial  institu¬ 
tion  is  required  to  have  such  a  program. 

Sullivan  spoke  with  CSO  about  the  latest 
tricks  money-laundering  criminals  are  using  to 
pull  off  their  schemes. 

What's  the  scope  of  money  laundering 
right  now?  Are  there  any  trends  you  are 
seeing  this  year?  The  best  possible  estimate 
is  that  it’s  $1.5  trillion  a  year  that  gets  laun¬ 
dered  worldwide.  Trends  crop  up  so  frequently 
there  could  be  a  trend  of  the  day.  Every  time 
the  good  guys  build  a  10-foot  ladder,  the  bad 
guys  build  an  11-foot  wall.  At  best,  we  are 
trying  to  keep  up  with  them.  They  spend  a 
tremendous  amount  of  time  and  resources 
trying  to  get  around  the  latest  plug  you  put  in 
the  dyke. 

There  are  hundreds  of  money-laundering 
techniques  being  used.  A  new  trend  is  virtual 
money  laundering.  There  are  popular  online 
games  like  Second  Life  and  World  of  Warcraft. 
Criminals  can  launder  money  through  these 
now.  In  the  case  of  the  virtual  worlds,  techni¬ 
cally,  money  can  be  laundered  by  creating 
several  online  identities.  Real  currency  is 
exchanged  for  virtual  currency  and  then 
moved  to  other  identities,  and  the  virtual  cash 
is  redeemed  for  real  money.  It  is  quite  simple 
in  process. 

At  this  time,  the  amount 
of  money  that  can  be  moved 
is  very  low  and  this  method 
would  not  classify  as  one  of 
the  better  ways  to  move  a 
lot  of  money.  However,  it  is  a 
method  and  money  launder- 
ers  will  use  any  and  all  avail¬ 
able  methods. 

If  the  good  guys  start  to 
believe  that  a  certain  method 
is  not  good,  then  that  alone 
is  reason  enough  for  the  bad 
guys  to  go  there  and  use  it, 
as  the  feeling  is  that  it  might 
be  easier  to  fly  under  the 
radar.  Currently,  awareness 


of  virtual  money  laundering  should  be  in  every 
investigator’s  playbook.  As  the  virtual  worlds 
develop,  the  authorities  should  revisit  and 
reanalyze  to  determine  the  effectiveness  of 
this  method. 

What  about  social  networking  sites?  Are 
these  being  used?  We  have  heard  rumors 
that  criminals  are  usingthe  instant  messaging 
and  virtual  aspects  of  these  sites  to  converse 
back  and  forth.  They  are  using  these  now 
because  they  know  phones  are  often  wired. 

Who  is  most  at  risk  for  finding  themselves 
caught  in  a  money-laundering  scheme? 

Are  any  particular  organizations  being 
targeted  or  used  now?  Any  type  of  financial 
institution  is  at  risk.  But  any  type  of  business 
can  be  at  risk  because  it  can  be  used  inad¬ 
vertently  in  a  money-laundering  scam.  One 
example  l  will  use  is  Bell  Helicopter,  which  was 
used  in  a  scam.  Drug  lords  were  buying  heli¬ 
copters  and  parts.  Obviously  they  didn’t  call 
and  say,  ‘We  need  to  buy  a  helicopter.’  They  did 
it  through  cover  individuals.  Twenty-six  differ¬ 
ent  payments  from  different  businesses  were 
used  to  buy  one  helicopter. 

How  can  companies  avoid  becoming 
involved?  There  are  numerous  enterprise- 
level  software  anti-money-laundering 
packages  that  organizations  can  use-that  are 
readily  available  and  customizable  to  your 
particular  organization  and  requirements- 
that  can  be  used  to  detect  some  of  these 
anomalous  behaviors.  Some  may  provide 
Office  of  Foreign  Assets  Control  assistance, 
Bank  Security  Act  oversight,  due  diligence  and 
money-laundering  red-flag  detection. 

You  train  employees  at  organizations 
about  anti-money-laundering  techniques. 
What  are  the  red  flags  you  advise  people 
to  look  out  for?  Whatever  particular  business 
you  are  in,  whether  you’re  a  financial  institu¬ 
tion  or  selling  sneakers,  there  are  red  flags. 

The  most  common  is  a  transaction  that  makes 
no  sense.  The  most  important  thing  for  any 
business  to  do  is  due  diligence.  Just  accepting 
someone’s  word  and  check  isn’t  good  enough. 

-Joan  Goodchild 
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Convenience  meets  Security 
at  the  desktop. 


Whether  your  organization  needs  a  contact  smart  card  for  secure  log¬ 
in,  digital  signature  or  secure  remote  access,  or  you  require  the  most 
convenient  two-factor  authentication  solution,  HID  Global’s  OMNIKEY  contact  and 
contactless  smart  card  readers  provide  a  fast  and  reliable  solution.  Compliant  with  industry 
standards,  OMNIKEY  contact  and  contactless  readers  are  compatible  with  virtually  any  smart 
card,  any  operating  system  and  a  variety  of  applications.  Available  in  numerous  form  factors, 
OMNIKEY  readers  offer  a  risk-appropriate  choice  for  any  organization. 


For  information  on  HID  Global’s  innovative  line  of  smart  card  readers,  visit  hidglobal.com/smartcard/CSO 
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Security 

Wisdom 

Watch 

People,  places  and 
things  making  an 
impact  on  security— 
for  better  or  worse 

Thumbs  down:  Lower 
Merion  School  District, 
Pennsylvania:  The  dis¬ 
trict  agreed  to  fork  over 
$610,000  to  settle  a  lawsuit 
that  accused  school  officials  of 
spying  on  students  via  school- 
issued  laptops.  We'd  like  to  think 
they  were  doing  the  right  thing 
and  admitting  that  spying  on 
students  was  illegal  and  wrong, 
but  we  suspect  they  were  just 
covering  their  legal  backsides. 

Thumbs  up:  HacKid 
organizers:  The  security 
community  pulled  off  an 
excellent  kid-oriented  secu¬ 
rity  event  in  Boston  last  month. 
Since  the  future  of  security  is 
in  the  hands  of  our  children,  we 
hope  to  see  more  of  these. 

Thumbs  both  ways: 

Facebook:  The  social  net¬ 
working  giant  rolled  out 
temporary  passwords 
to  help  users  defend 
themselves  against 
keyloggers,  but  then  dis¬ 
covered  popular  apps  are  leaking 
personal  identification  data. 

Thumbs  both  ways: 

Microsoft:  The  software 
giant  released  its  big¬ 
gest  batch  of  security 
patches  ever  last 
month.  It  goes  to  show 
that  Windows  is  still  a  big 
target.  But  thanks  to  Microsoft’s 
security  efforts,  the  situation  is 
much  better  than  it  was  six  years 
ago.  -B.B. 
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SHARED  INTELLIGENCE 


How  the  Physical  and  IT  Security 
Departments  Can  Work  Together 


Two  specialists  team  up  to 
improve  corporate  defenses 

Physical-  and  IT-security  shops  often  have 
trouble  working  together.  They  have 
separate  departments  and  cultures,  and 
the  disconnect  can  cause  criminal  activ¬ 
ity  to  go  unnoticed. 

At  the  recent  C50  Security  Standard  event 
in  New  York,  two  security  professionals  sought 
to  change  that,  offering  a  plan  for  how  the 
physical  and  IT  sides  can  join  forces  to  create  a 
far  more  potent  defense. 

Representing  the  physical  side  was  Richard 
Gunthner,  vice  president  of  global  corporate 
security  for  MasterCard  Worldwide. 

Representingthe  IT  side  was  Roland 
Cloutier,  vice  president  and  CSO  for  ADP. 

“Much  of  my  career  has  been  spent  on  the 
IT  side,  and  Richard  has  dealt  largely  with  the 
physical,  but  now  our  jobs  are  looking  more 
and  more  alike,”  Cloutier  said. 

“Security  is  not  about  headcounts  in  the 
physical  and  IT  departments.  We  need  to 
leverage  each  others’  people,  processes  and 
technologies.” 

First,  consider  the  technologies.  On  the 
physical  side,  there  are  the  alarm  systems, 
CCTV  monitoring  and  video  analytics. 

Video  can  spot  the  suspicious  person 
hiding  behind  a  tree  and  can  track  the  flow  of 
automobiles  in  and  out  of  the  parking  lot. 

On  the  cyber  side,  there’s  security  incident 
and  event  management  (5IEM)  technology 
and  other  tools  to  track  potential  data  leakage 
and  perform  functions  such  as  deep-packet 
inspection. 

When  it  comes  to  global  risk  and  intel¬ 


ligence  analysis,  physical  security  uses 
intelligence  collection  and  risk  monitoring, 
and  IT  uses  governance,  risk-management  and 
compliance  platforms,  anti-fraud  feeds  and 
control-assurance  platforms. 

So  where  do  the  physical  and  IT  ends 
meet?  Cloutier  and  Gunthner  presented  this 
scenario: 

1)  A  thief  takes  a  computer. 

2)  The  SIEM  system  detects  a  resource 
change  (the  computer  removed  from  its 
proper  place). 

3)  The  physical-security  information 
management  (PSIM)  system  detects  that  the 
doors  in  and  out  were  not  accessed  according 
to  protocol  (for  example,  a  card  swipe  to  open 
the  door). 

4)  The  SIEM  and  PSIM  talk  to  each  other, 
compare  data  and  trigger  a  response  rule. 

5)  The  incident-handling  system  receives 
an  alarm  and  initiates  the  proper  procedure 
for  dealing  with  the  theft. 

6)  The  related-notification  technology 
on  the  physical  and  IT  sides  trigger  a  pre¬ 
arranged  response. 

By  pooling  the  physical  and  IT  technolo¬ 
gies  and  procedures,  chances  of  the  company 
finding  the  thief  and  retrieving  the  computer 
increase  significantly. 

The  scenario  may  sound  painfully  obvious, 
but,  as  the  two  men  pointed  out,  things  often 
don’t  work  this  way. 

The  benefits  of  working  together  are 
considerable,  Gunthner  said,  noting  that  a 
combined  defense  can  help  reduce  cases  of 
identity  theft,  leaked  corporate  secrets,  travel 
risks  affecting  employees,  being  targeted  for 
terrorism,  and  so  on.  -Bill Brenner 
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SOCIAL  NETWORKING 

Facebook  Fights 
Keyloggers 
With  One-time 
Passwords 

Worried  about  logging  into  Facebook  from  a  strange 
computer?  There’s  now  a  way  to  get  into  the 
popular  social  networking  site  without  entering 
your  usual  password. 

It’s  called  a  temporary  password,  and  Facebook 
announced  the  new  service  last  month. 


The  idea  is  to  make  it  “safer  to  use  public  computers  in 
places  like  hotels,  cafes  or  airports,”  said  Facebook  Product  Manager 
Jake  Brill  in  a  blog  post.  “If  you  have  any  concerns  about  [the]  security  of 
the  computer  you’re  using  while  accessing  Facebook,  we  can  text  you  a 
one-time  password  to  use  instead  of  your  regular  password.” 

The  service  is  being  rolled  out  gradually  to  Facebook  users  and  will 
be  available  worldwide  in  the  next  few  weeks. 

To  take  advantage  of  it,  users  must  list  their  mobile  phone  numbers 
on  their  Facebook  accounts.  They  can  then  text  the  letters  “otp”  to  the 
number  32665  from  their  phones.  Facebook  sends  back  a  temporary 
password  that  is  good  for  20  minutes. 

The  idea  is  to  protect  users  in  the  event  that  a  computer  has  been 
hacked  and  someone  has  installed  password-stealing  keylogging  soft¬ 
ware  on  it.  Instead  of  stealing  a  permanent  password,  the  keylogger  will 
record  only  a  temporary  password  that  can’t  be  used  again. 

Facebook  has  been  playing  a  cat-and-mouse  game  with  scammers 


over  the  past  few  years  as  criminals  find  new  ways  to  misuse  the  social 
network. 

Last  month,  Facebook  introduced  a  system  that  allows  users  to 
track  which  computers  have  been  used  to  log  in  to  their  accounts  and  to 
remotely  log  out  any  machines  that  shouldn’t  have  access. 

That  feature  was  also  rolled  out  gradually  and  is  now  available  to  all 
users,  Brill  said. 

To  stay  ahead  of  the  scammers,  Facebook  also  plans  to  prompt  users 
more  often  to  make  sure  that  their  contact  information  and  security 
questions  are  up  to  date. 

This  is  the  kind  of  data  that  can  be  used  to  recover  a  Facebook 
account  if  scammers  steal  a  user’s  password,  so  keeping  it  updated  will 
make  it  easier  for  legitimate  users  to  regain  control  of  their  accounts  if 
they  are  compromised. 

-R.M. 


Verbatim... 


Shots  heard  ’round  the  security  world 


“Though 
we  would  have 
valued  the  opportunity  to 
finally  share  an  important, 
untold  story  in  the  courtroom, 
we  recognize  that  in  this 
case,  a  lengthy,  costly  trial 
would  benefit  no  one.” 

-Lower  Merion  School  District  Board  President 
David  Ebby  on  the  settlement  reached 
with  those  who  sued  for  having  their 
privacy  violated  via  school- 
issued  computers 


“As  good  as 
it  is  today,  you 
don’t  have  the 
same  reliability 
as  you  have  with  a 
local-area  network.” 

-James  Pu,  information  security 
officer  for  the  Los  Angeles 
County  Employees  Retirement 
Association,  on  why  his 
organization  is  moving 
slowly  on  cloud 
computing 


“Companies 
are  increasingly 
dependent  on  third  parties, 
whether  they  like  it  or  not, 
and  those  partners  need 
access  to  your  IT  infrastructure 
and  your  data.  That’s  tough 
when  times  are  good  and 
scary  when  times  are  bad.” 

-Mark  Lobel,  a  principal  in  Pricewaterhouse- 
Coopers’  advisory  services  division,  on 
a  survey  that  showed  increased 
concern  over  the  security  of 
business  partners 
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AUDIT 


SAS  70  Replacement  SSAE 16  Coming  Soon 


Experts  provide  essential  information  about  the  new  auditing  standard 
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The  Statement  on  Auditing  Standards 
70  has  for  years  been  the  benchmark 
against  which  service  providers  mea¬ 
sured  internal  security  controls.  But  it 
hasn’t  been  without  its  critics,  and  its  replace¬ 
ment  is  at  hand. 

Next  summer,  SAS  70  will  be  replaced  by 
Standards  for  Attestation  Engagements  (SSAE) 
16.  The  Auditing  Standards  Board  of  the  Ameri¬ 
can  Institute  of  Certified  Public  Accountants 
finalized  the  standard  in  April  and  set  a  start 
date  of  June  15, 2011.  Its  purpose  is  to  update 
the  service-organization  reporting  standard 
so  it  mirrors  and  complies  with  the  new  inter¬ 
national  standard  known  as  ISAE  3402. 

Holly  Russo,  senior  manager  for  account¬ 
ing  firm  Schneider  Downs,  summed  up  what’s 
new  about  SSAE  16  in  a  note  to  clients  on  the 
company’s  website: 

“Key  differences  include  the  following: 

The  requirement  of  a  ‘management  asser¬ 
tion’  section  within  the  report-under  SSAE 
16,  management  of  service  organizations  are 
required  to  provide  a  written  assertion  in  the 
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body  of  the  report  about  the  fair  presentation 
of  the  description  of  the  service  organization’s 
system,  the  suitability  of  the  design  of  the 
controls  and  the  operating  effectiveness  of  the 
controls.  If  a  service  organization  uses  subser¬ 
vice  organization(s)  and  elects  to  use  the  inclu¬ 
sive  method,  the  subservice  organization(s) 
assertion  must  also  accompany  the  auditors’ 
report.  Management’s  assertion  must  also 
specify  the  criteria  used  for  its  assessment. 
These  assertions  are  similar  in  nature  to  SAS 
70  audit  management  representation  letters.  A 
separate  management  representation  letter  is 
also  still  required.” 

With  the  clock  ticking,  CSO  decided  to  get 
some  feedback  from  those  who  have  experi¬ 
enced  or  conducted  SAS  70  Type  II  audits  (the 
relevant  type  under  that  standard).  The  goal  is 
to  see  how  well  it  has  prepared  companies  for 
the  broader  auditing  gantlet  to  come. 

The  four  perspectives  that  follow  are  in 
response  to  our  inquiries  in  various  Linkedln 
forums. 

Scott  Crawford,  research  director  at 


Enterprise  Management 
Associates  and  former 
information  security  offi¬ 
cer  for  the  International 
Data  Centre  of  the  Compre¬ 
hensive  Nuclear-Test-Ban 
Treaty  Organization  in 
Vienna,  Austria.  A  SAS  70 
audit  is  conducted  according 
to  objectives  defined  by  the 
service  organization  for  itself. 

In  other  words,  SAS  70 
is  not  itself  a  framework  of 
objectives,  but  rather  allows 
the  organization  to  choose  its 
objectives-which  begs  the 
question  of  “audited  to  what 
standard?” 

Of  course,  mostorgs  will 
be  motivated  to  audit  to  a 
recognized  standard  of  some 
sort. 

In  many  cases,  widely 
accepted  guidance  such 
as  COBIT  may  be  used  as  a 
framework,  but  COBIT  can 
be  very  general,  and  may  be  geared  more 
toward  higher-level  program  management 
than  specifics  of  implementation.  But  COBIT  is 
just  one  of  many  such-and  any  framework  can 
be  tuned  to  the  specific  needs  of  an  organi¬ 
zation  or  an  audit-so  knowing  the  controls 
and  control  objectives  of  a  specific  audit  is 
equally  important.  This  means  that  a  SAS  70 
audit  could  be  very  thorough  if  the  control 
objectives  are  highly  granular-and  uselessly 
general  if  too  extreme  at  the  other  end  of  the 
spectrum. 

Thus,  there  are  in  fact  not  only  many 
alternatives  to  a  SAS  70  audit,  but  many  con¬ 
trol  objectives  and  frameworks  that  could  be 
defined  for  any  audit,  including  for  any  SAS  70 
audit.  This  includes  PCI  DSS,  ISO  27000-series, 
SysTrust,  and  so  on.  The  BITS  Shared  Assess¬ 
ments  initiative  was  intended  specifically  to 
enable  primarily  financial  organizations  to 
work  together  to  standardize  assessment  in  a 
number  of  areas,  including  security. 

However,  there  are  also  deficiencies  in 
each  of  these  approaches,  such  as  how  current 
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the  standard  is  with  the  current  landscape  of  IT 
threats  or  the  technology  itself.  Virtualization, 
for  example,  still  has  yet  to  be  addressed  as 
thoroughly  as  it  should  be  in  some  cases.  Yet 
it  is  frequently  a  fundamental  technology  in 
cloud  computing. 

Chris  Schellman,  president  and  share¬ 
holder,  SAS  70  Solutions.  The  5A5  70  audit 
standard  works  great  for  its  intended  purpose, 
and  not  so  well  otherwise.  It  never  claimed  to 
be  the  universal  solution  for  all  assessment 
needs,  but  there  is  absolutely  no  substitute 
for  it  in  the  areas  of  financial  statement  audit 
and  SOX  compliance.  Criticism  of  the  standard 
often  demonstrates  profound  disregard  for 
the  standard’s  intended  purpose.  It  is  fair  to 
criticize  the  misapplication  of  the  standard 
and  misuse  of  SAS  70  audit  reports,  but  those 
problems  do  not  equate  to  a  fault  in  the 
standard  itself. 

To  say  the  SAS  70  standard  is  going  away 
might  not  be  the  best  angle.  Yes,  it  is  being 
superseded  by  SSAE 16,  but  SSAE 16  used 
the  SAS  70  standard  as  its  basis.  So  did  the 
international  standard,  ISAE  3402,  which 


the  assurance  bodies  of  other  countries  are 
busily  adopting  entirely  or  are  aligning  their 
SSAE  16-equivalent  standards  to  match.  Most 
differences  between  SAS  70  and  the  new 
standards  will  be  almost  indistinguishable  to 
the  average  layperson. 

Don  Fergus,  CSO  for  Intekras.  In  our 
IT  Risk  reviews,  we  use  ISO  27001/27002  to 
review  the  adequacy  of  security  measures  in 
place.  By  definition,  SAS  70  reviews  include 
procedures  to  obtain  reasonable  assur¬ 
ance  about  whether  control  descriptions 
(as  described  by  management)  present  the 
aspects  of  a  service  organization’s  controls 
that  may  be  relevant  to  an  audit  of  financial 
statements,  and  further  that  the  controls 
included  in  the  description  were  suitably 
designed  to  achieve  the  control  objectives 
specified  in  the  description. 

This  means  that  in  a  SAS  70  Type  II  review, 
a  service  organization  describes  its  control 
mechanisms  and  then  one  tests  them  to 
verify  that  the  control  exists.  So  if  there’s  a 
lousy  control  in  place,  the  reviewer  attests 
to  its  existence  rather  than  recommend  its 


improvement. 

Unlike  SAS  70,  the  ISO  standard  has  over 
150  predefined  controls.  During  our  ISO-based 
reviews,  we  determine  whether  a  specific  con¬ 
trol  applies  (through  a  Statement  of  Applica¬ 
bility),  how  an  organization  meets  the  control 
objective,  and  we  collect  evidence  that  they 
have  met  the  control.  Rather  than  rely  on  man¬ 
agement  to  describe  controls  (and  then  merely 
attest  to  their  existence),  we  prefer  ISO-based 
reviews,  because  it  provides  a  comprehensive 
set  of  security-related  topics  and  an  objective 
means  of  measuring  risk. 

Shrinath,  senior  information  security 
auditor  at  SunGard.  My  organization  has 
undergone  SAS  70  audits  for  the  last  3  years. 
For  the  first  year,  it  was  definitely  challenging 
to  know  all  about  it  and  its  testing  procedures. 

It  is  definitely  one  of  the  most  stringent 
audits  because  of  the  number  of  evidence 
samples  picked  up  for  testing,  and  any  failure 
in  a  single  one  of  them  can  result  in  control 
failure  unless  you  have  very  good  compensat¬ 
ing  controls  for  it. 

-B.B. 
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TOOLS,  TECHNOLOGIES  AND  TACTICS 


By  Neil  Roiter 


Paying  for  the  Privilege 

Privileged-identity-management  tools  help  clean  up  shared- account 
sprawl,  plug  security  leaks  and  bring  enterprises  into  compliance 


Privileged-identity- manage¬ 
ment  (PIM)  products  automate 
control  over  administrative 
accounts,  which  typically  put 
too  much  power  in  too  many 
people’s  hands  with  too  little  account¬ 
ability.  They  address  the  security,  opera¬ 
tional  and  compliance  issues  posed  by  the 
widely  shared  administrative  accounts 
and  passwords,  excessive  administrative 
rights,  poor  separation  of  duties,  embed¬ 
ded  passwords  in  legacy  applications  and 
scripts,  and  poor  or  nonexistent  privileged- 
password  rotation.  They  also  provide  indi¬ 
vidual  accountability  and  an  audit  trail  to 
prove  that  policies  and  controls  are  actually 
being  enforced. 

Ironically,  enterprises  often  do  a  better 
job  managing  standard-user  accounts  and 
passwords  than  privileged  accounts.  The 
reasons  are  complex— a  maze  of  practical, 
historical  and  cultural  impediments.  Typi¬ 
cally,  it’s  almost  impossible  to  find  all  the 
interdependencies  among  the  applications, 
systems  and  services  an  account  may  touch. 
As  a  result,  IT  mangers  and  the  business 
people  they  serve  are  reluctant  to  change 
passwords  and  alter  accounts  lest  they 
break  critical  production  processes.  And 
trusted  admins  are  accustomed  to  being 
trusted— trusted  with  sweeping  adminis¬ 
trative  rights,  trusted  to  keep  passwords 
within  their  tight  group.  But,  in  fact,  access 
to  privileged  accounts  is  extended  in  emer¬ 


gencies  or  when  procedures  are  bypassed 
to  get  something  done  quickly.  So  users  get 
sweeping  privileges  beyond  their  business 
needs  and,  once  granted,  those  privileges 
are  seldom  taken  away. 

“With  a  small  staff  and  a  range  of  support 
issues  that  came  up,  people  became  aware 
of  what  accounts  there  were,  what  pass¬ 
words  there  were,”  says  the  security  lead 


for  a  midsize  manufacturing  company  that 
now  uses  Cyber-Ark  PIM  products.  “There 
was  no  tracking  around  who  did  what  and 
what  kind  of  account  they  were  using.” 

A  combination  of  a  growing  aware¬ 
ness  of  the  security  issues  posed  by  poorly 
controlled  privileges  and  increased  audit 
scrutiny  has  prompted  enterprises  to 
attempt  to  address  the  issue.  Home-grown 
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and  manual  control  processes  have  proven 
unwieldy:  They  are  time-consuming  and 
labor-intensive,  provide  spotty  coverage 
and  are  difficult  to  validate  for  an  audit. 

What  PIM  Does 

PIM  products  are  designed  to  rein  in  the 
shared-privileged-account  sprawl,  auto¬ 
mate  manual  processes  and  provide  an 
audit  trail  and  monitoring  of  privileged 
account  and  user  activity.  Several  vendors 
have  established  themselves  in  the  PIM 
market,  most  notably  BeyondTrust,  Cyber- 
Ark,  e-DMZ  Security  and  Lieberman  Soft¬ 
ware.  The  suites  vary  somewhat,  but  they 
have  four  primary  capabilities: 

Privileged  password  and  account 
management:  This  is  the  core  capabil¬ 
ity  of  any  PIM  suite,  which  addresses  the 
primary  pain  points  around  privilege 
management.  The  PIM  product  is  a  secure 
repository  that  internally  and  automati¬ 
cally  generates  new  passwords  and  con¬ 
trols  user  access  and  authorization  for  all 
systems  according  to  corporate  policies.  So 
the  privileged  user  logs  in  and  is  granted 
access  and  authorization  for  that  session 
based  on  company-defined  roles.  The 
idea  is  to  eliminate  account  and  password 
sprawl  and  grant  the  user  only  those  rights 
that  are  required  to  perform  his  job.  The 
tool  also  provides  detailed  audit  trails  and 
should  integrate  seamlessly  with  corporate 
directories,  ticketing  systems,  and  so  on. 

Managing  services,  scripts  and 
applications:  The  PIM  will  manage  non¬ 
human  accounts,  such  as  those  required 
by  services  and  accounts  in  legacy  applica¬ 
tions.  This  ensures  that  system  password 
changes  will  be  extended  to  all  dependent 
services.  Passwords  for  embedded  appli¬ 
cations,  which  enterprises  are  reluctant  to 
touch  lest  they  break  the  app,  will  no  longer 
be  compromised. 

Session  control  and  monitoring: 

This  capability  allows  enterprises  to  autho¬ 
rize  privileged-user  connections  on  a 
per-session  basis  and  monitor  and  record 
activity  during  the  session.  This  may 
include  a  DVR-like  recording  function  that 
allows  investigators  to  watch  exactly  what 
was  done. 

Command  control:  This  allows  granu¬ 
lar  control  and  monitoring  of  commands  a 
user  can  run  based  on  her  role  and  required 
tasks. 


“If  I  can  use  the 

system,  as  an 
admin,  to  do  my 

bidding,  I  have  a 
powerful  tool  to  do 
some  real  damage.” 

7  Privilege-Management  Tips 

Develop  a  long-range  and  short-range 
Strategy.  While  your  organization  may 
be  addressing  particular  pain  points— an 
audit  failure  on  a  particular  platform  or 
in  a  business  group,  operational  problems 
with  a  manual  process,  production  inter¬ 
ruptions  or  a  data  breach  inadvertently 
or  intentionally  caused  by  someone  with 
shared  credentials— lack  of  PIM  is  usually 
a  systemic  problem  that  touches  all  enter¬ 
prise  systems. 

If  you  choose  a  PIM  product  to  address 
a  limited  objective  (for  example,  pass  the 
next  audit  or  control  access  to  a  CRM  sys¬ 
tem),  you  may  wind  up  buying  a  solution 
that  will  not  meet  all  your  needs. 

“Shared  accounts  pose  almost  the  same 
risk  regardless  of  whether  it’s  a  shared  DBA 
[database  administrator]  account  giving 
access  to  a  database,  or  an  admin  accessing 
a  Cisco  router,  or  a  shared- account  e-mail 
admin  accessing  an  Exchange  server,”  says 
Cyber-Ark  Executive  Vice  President  Adam 
Bosnian.  “If  I  can  use  the  system,  as  an 
admin,  to  do  my  bidding,  I  have  a  powerful 
tool  to  do  some  real  damage.” 

Unless  you  take  a  global  approach,  you 
will  not  understand  how  your  disparate 
systems  are  interconnected  and  dependent 
on  one  another.  You  will  fail  to  develop  poli¬ 
cies  and  processes  that  will  form  an  effec¬ 
tive  foundation  for  your  privileged-identity 
program. 

So  invest  in  PIM  with  the  big  picture  in 
mind.  Take  a  broad  view  and  develop  an 
enterprise  strategy.  Then  you  can  prioritize 
where  you  will  start  your  implementation 
based  on  which  systems,  applications  and 
platforms,  or  class  of  privileged  users  (such 
as  Windows  sysadmins  or  DBAs)  pose  the 
greatest  risk,  will  affect  the  largest  number 
of  users,  and  so  on.  Take  a  phased  approach 
based  on  a  broad,  long-term  strategy.  Each 
phase  is  a  significant  project  and  will  ben¬ 
efit  from  a  strong  overall  direction  and 


experience  in  preceding  phases. 

“You  need  to  take  comprehensive  look; 
when  you  get  into  IT  departments  every¬ 
thing  is  connected  to  everything,”  says 
Jeff  Nielsen,  vice  president  of  engineer¬ 
ing  for  BeyondTrust.  “Here’s  the  financial 
database  connected  to  the  CRM  database, 
which  is  connected  to  an  order-fulfillment 
app.  There’s  sensitive  data  throughout  the 
chain.” 

A  broad  plan  with  a  staged  implantation 
will  also  help  demonstrate  to  auditors  that 
you  have  a  program  and  tools  in  place  to 
that  will  address  shortcomings  on  a  defined 
schedule. 

Require  full-platform  coverage.  A 

global  strategy  requires  global  applica¬ 
bility.  You  may  be  focused  on  Windows 
administration,  for  example,  in  your  initial 
phase,  but  what  about  the  Unix  and  Linux 
server  accounts  you  plan  to  address  in  the 
third  quarter?  Is  your  company  standard¬ 
izing  on  one  database  platform  or  network 
infrastructure  vendor,  or  do  you  expect  to 
have  a  heterogeneous  environment  for  the 
foreseeable  future?  How  will  mergers  and 
acquisitions  affect  the  types  of  accounts 
you  will  need  to  manage? 

“We  looked  at  some  applications  that 
don’t  mange  the  full  breadth  of  Unix  and 
Linux,  or  only  they  only  do  Windows,  or 
they  don’t  do  SQL  Server,”  says  an  infor¬ 
mation-security  analyst  for  a  large  federal 
credit  union,  which  is  a  Lieberman  Soft¬ 
ware  customer. 

Also  consider  the  difficulty  and 
cost  involved  in  supporting  custom 
applications. 

Leverage  integration  with  your  existing 
resources-PlM  doesn’t  exist  in  a  vacuum. 

In  particular,  make  sure  the  PIM  products 
work  seamlessly  with  your  identity  man¬ 
agement  (IdM)  systems  and  directories  to 
automatically  provision  and  de-provision 
user  privilege  according  to  corporate 
policy. 

That  policy  should  be  reflected  in  your 
active  directory  group  memberships  or 
other  directory  repository  of  choice,  and 
in  role-based  provisioning  through  your 
IdM.  The  PIM  should  automatically  update 
in  real  time  or  as  close  to  it  as  possible  to 
reflect  changes  in  group  memberships  and 
assigned  group  and  individual  user  roles. 
These  assignments  can  be  highly  dynamic, 
as  employees  are  hired,  leave,  change  jobs 
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within  the  organization,  or  are  granted  tem¬ 
porary  roles  based  on  need. 

One  essential  difference  between 
IdM  and  PIM  products  is  the  problem  of 
shared  privileged  accounts,  since  shared 
accounts  cannot  be  tied  to  an  individual. 
PIM  addresses  the  issue  by  eliminating  the 
need  for  shared  accounts  and  their  shared 
passwords  by  controlling  access  based  on 
individuals’  functions  as  defined  by  their 
roles.  So  tight  integration  with  IdM  is 
important  if  PIM  is  to  be  effectively  auto¬ 
mated  and  scale  throughout  the  enterprise 
by  leveraging  existing  identity  policy  and 
mechanisms. 

These  policies  and  their  associated 
processes  should  include  a  well-defined 
change-approval  workflow  that  can  be  effec¬ 
tively  automated,  so  tight  native  integration 
with  your  ticketing  system  is  another  key 
point  to  look  for.  So,  for  example,  when  an 
admin  requires  authorization  to  modify  the 
rule  sets  on  a  group  of  firewalls,  the  access 
request  triggers  a  well-defined  and  auto¬ 
mated  workflow- approval  process  based 
on  policy  and  managed  through  the  ticket¬ 
ing  system. 

Security  information  and  event  man¬ 
agement  (SIEM)  integration  can  also  be 


quite  valuable.  Since  PIM  ties  administra¬ 
tive  privileges  to  individuals,  your  SIEM 
can  correlate  this  information  with  data 
from  other  security  systems  to  detect  and 
analyze  anomalous  and  possibly  mali¬ 
cious  activity  tied  to  individuals  rather 
than  shared,  anonymous  accounts.  Or,  if 
the  user  has  not  gained  privileged  access 
through  the  PIM,  it  may  indicate  a  hacker 
or  automated  attack. 

Assess  your  existing  processes.  Evalu¬ 
ate  your  existing  policies,  processes  and 
mechanisms  for  managing  privileged  iden¬ 
tity,  understand  the  pain  points  and  deter¬ 
mine  if  purchasing  and  implementing  PIM 
is  going  to  effectively  address  those  issues. 

“If  the  organization  has  a  well-defined 
process,  product  deployment  is  a  slam 
dunk,”  says  Kris  Zupan,  e-DMZ’s  CTO.  “If 
the  existing  process  is  a  root  password  that 
hasn’t  changed  in  four  years,  trying  to  initi¬ 
ate  process  in  addition  to  adding  technol¬ 
ogy  is  another  matter.” 

PIM  is  of  limited  value  unless  it  is  imple¬ 
mented  on  a  foundation  of  well-defined  pol¬ 
icies  and  processes,  which  provide  a  clear 
understanding  of  corporate  requirements, 
including: 

■  The  business  requirements  for 


privileged  access,  defined  by  system, 
business  unit,  and  so  on. 

■  Who  should  be  granted  privileges  as  a 
matter  of  course  and  the  circumstances 
under  which  exceptions  may  be  made. 

■  What  level  of  privilege  is  actually 
required,  for  how  long  and  under  what 
circumstances. 

■  The  rules  for  provisioning  and 
de-provisioning  privileged  access  and 
authorization. 

■  The  approval  workflow  process, 
including  verification  and  audit  trail. 

■  The  triggers  and  responses  when 
requests  or  attempts  to  access  violate 
corporate  policy. 

“You  probably  fall  short  in  managing 
privileged  identity,”  says  the  security  lead 
for  a  midsize  manufacturing  company,  “if 
the  processes  you  run  and  the  benchmarks 
you  hold  yourself  to  are  not  well  defined  or 
aligned  with  standards,  and  if  you  are  not 
aware  of  and  assessing  yourself  in  terms  of 
those.” 

That  said,  there  is  some  value  in  a  pre¬ 
liminary  deployment  of  PIM  software  to 
help  determine  your  organization’s  current 
security  posture  regarding  privileges.  It  can 
serve  as  an  initial  step  toward  developing  a 
sound  program  supported  by  appropriate 
technology.  If  the  product  has  auto-dis- 
covery  capabilities,  you  can  gain  insight 
into  where  all  your  privileged  accounts 
are— there  are  probably  thousands  of  them, 
many  of  which  may  still  be  using  default 
admin  passwords— and  begin  to  assess 
how  they  are  shared  and  used  to  develop 
policies  and  processes  for  reining  them  in. 

If  your  privilege-management  program 
is  largely  manual,  examine  the  weaknesses 
in  your  procedures  from  a  security  and 
audit  perspective,  and  consider  the  cost  of 
the  resources  dedicated  to  maintaining  it. 

“I’ve  run  into  companies  that  have  very 
successful  manual  implementations,  but 
there  are  number  of  downsides  in  terms 
of  implementation,”  says  Phil  Lieberman, 
president  and  CEO  of  Lieberman  Software. 
“Some  change  processes,  in  terms  of  retriev¬ 
ing  passwords,  take  10  to  40  hours.” 

For  example,  organizations  will  often 
rotate  and  secure  privileged  passwords 
by  committing  them  to  paper  and  locking 
them  in  safes.  The  problem  is,  the  pass¬ 
words  are  still  known  and  can  be  shared, 
even  if  corporate  policy  says  they  shouldn’t 


Audit:  The  Big  Stick 

Vendors  say  regulatory  compliance  and  audits  are  still  the  primary  drivers  in  the  PIM 
market.  “Seventy  percent  of  our  customers  or  prospects  come  in  as  a  result  of  some 
open  audit  issue,”  says  Martin  Ryan,  e-DMZ  Security’s  vice  president  of  worldwide 
sales. 

Initially,  SOX  was  the  main  market  driver,  but  now  PCI  is  generating  a  lot  of  interest, 
along  with  HIPAA,  the  North  American  Electric  Reliability  Corporation’s  Critical  Infrastruc¬ 
ture  Protection  standards  and  European  regulations. 

“Compliance  is  the  big  issue  for  us,"  says  an  information  security  analyst  for  a  large 
federal  credit  union  that  uses  Lieberman  Software.  “We  had  open  audit  issues  associated 
with  service  accounts,  passwords  hadn’t  been  changed  since  dirt  since  was  cleaned.” 

The  effort  required  to  identify  and  change  all  the  service  accounts  was  prohibitive,  she 
says.  “There  are  all  those  dependencies,”  she  says.  “It  was  problematic-a  huge  security 
lapse.  We  got  nicked  six  different  times  over  several  years  in  audits." 

PIM  tools  can  help  address  audit  issues  in  several  ways,  including: 

■  Discovery  of  privileged  accounts  throughout  the  enterprise 
■  Replacement  of  shared  accounts  with  granular  role-based  access  and  authorization 
■  Automated  password  generation  and  rotation 
■  Integration  with  identity  management  and  authentication  tools 
■  Secure  storage  of  password  data 

■  Detailed  audit  trails  to  prove  controls  are  in  place  and  effective 
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be,  and  the  time  and  effort  required  to 
repeat  this  process  according  to  a  regular 
password-rotation  schedule  for  hundreds 
or  thousands  of  passwords  is  daunting. 

Often,  change  records,  authorization 
requests  and  fulfillment  are  managed  by 
spreadsheet,  which  becomes  a  bottleneck 
that  can  impede  business. 

Manual  systems  are,  of  course,  subject 
to  human  error  and  can  be  bypassed,  and 
are  difficult  or  impossible  to  prove  to  an 
auditor.  Moreover,  a  single  system  will 
often  have  a  number  of  services  that  are 
dependent  on  the  password  change. 

“Our  Blackberry  Enterprise  Server  has 
administrative  passwords  associated  with 
28  services,”  says  a  federal  credit  union 
analyst.  “If  had  to  change  the  BES  pass¬ 
word,  find  the  associated  services,  and 
change  them  all  by  hand,  we  would  lose 
a  key  productivity  tool  for  an  extended 
period  of  time.” 

Manual  processes  may  be  linked  to 
role-based  provisioning,  directories  and 
ticketing  systems  by  policy,  but  can  fail 
because  there  is  no  automated  dependency 
management. 

Consider  the  scope  of  workstations. 

Local  administrator  privileges  on  Windows 
clients  can  create  security  risks  and  pose 
operational  problems.  Users  with  local 
admin  rights  can  install  applications  and 
make  configuration  changes  that  put  their 
computers  at  risk  of  being  compromised 
in  a  way  that  could  extend  to  other  work¬ 
stations  and  to  sensitive  data  stores.  These 
changes  can  also  cause  functional  problems 
that  put  a  strain  on  your  help  desk. 

“If  you  need  local  admin  rights,  our  first 
response  is,  ‘What  for?’”  says  a  security 
officer  for  one  of  the  world’s  largest  finan¬ 
cial  institutions,  a  BeyondTrust  customer. 
“If  you  just  need  to  change  the  clock  on  your 
laptop  because  you  travel,  we’ll  put  you  in 
a  group  for  that.  You  don’t  to  need  to  run 
Regedit  or  install  software.” 

The  initial  solution,  he  says,  was  to 
require  everyone  who  felt  they  needed  local 
admin  rights  to  submit  a  request;  as  a  con¬ 
trol,  a  home-grown  script  scanned  work¬ 
stations  hourly  to  see  if  local  admins  had 
been  added.  Any  additions  were  reconciled 
with  the  request  system. 

One  problem,  he  says,  was  that  users 
could  still  violate  policy  and  get  local  admin 
rights  between  scans.  More  important,  he 


“It’s  kind  of  a  badge 
of  pride  in  admin 
ranks  that  they 
know  privileged 
passwords  and 
that  the  company 
trusts  them.” 

says,  was  the  audit  problem. 

“Reacting  to  the  problem  doesn’t  solve 
the  problem,”  he  says.  “From  an  audit 
perspective,  we  need  to  have  very  detailed 
records  of  who  has  local  admin  rights  and 
how  we  are  managing  them,  and  [to  be  able 
to]  prove  that  the  person  is  removed.” 

The  PIM  tool,  he  says,  has  allowed  the 
company  to  effectively  remove  and  prevent 
unauthorized  local  admin  rights  in  a  way 
that’s  transparent  to  end  users. 

Include  outsourcing  in  your  PIM  poli¬ 
cies  and  processes.  Enterprise  responsibil¬ 
ity  for  data  security  doesn’t  stop  when  you 
outsource  IT  management,  development  and 
infrastructure.  You  need  to  be  concerned 
with  and  extend  privilege-management  to 
service  providers,  from  the  vendor  manag¬ 
ing  corporate  firewalls  to  the  infrastructure- 
as-a-service  cloud  provider  hosting  storage, 
networking,  and  networking  equipment  in 
support  of  your  operations. 

In  these  common  scenarios,  concern 
over  privilege  extends,  for  example,  to  the 
service  providers  you  let  in  to  remotely 
manage  your  on-premise  systems  as  well 
as  the  nameless  admins  working  for  the 
cloud- service  providers  who  lay  hands 
on  your  remote  infrastructure.  These  ser¬ 
vice  providers  should  be  in  scope  for  your 
policies  and  processes,  and,  where  possible, 
controlled  through  your  PIM  product.  This 
will  require  buy-in  by  the  service  provider 
to  require  its  admins  to  adhere  to  your  cor¬ 
porate  policy  and  be  managed  by  its  sup¬ 
porting  technology  as  a  condition  of  doing 
business.  In  addition,  look  for  service  pro¬ 
viders  that  have  well-documented  and 
-audited  PIM  processes  and  technology. 

Get  buy-in  from  IT,  business  units  and 
management.  This  is  always  sound  advice 
when  implementing  any  new  security 
technology,  but  perhaps  even  more  impor¬ 
tant  when  you’re  dealing  with  privileged 
accounts. 


“I’ve  been  in  IT  for  about  15  years,  and 
PIM  has  been  an  issue  all  along,”  says  the 
credit-union  analyst.  “I’ve  always  wrangled 
with  how  to  handle  changing  passwords— 
most  IT  folks,  when  presented  with  that, 
don’t  want  to  deal  it.  They  don’t  understand 
or  don’t  see  why.” 

The  issue  is  in  the  evolution  of  privi¬ 
leged  access  from  the  mainframe  era,  in 
which  a  core  of  trusted  admins  were  the 
only  ones  who  needed  accounts  and  had  to 
know  the  passwords,  to  a  Windows-based 
client-server  environment  and  then  to  the 
exposure  of  business  applications  to  the 
Internet. 

“It’s  kind  of  a  badge  of  pride  in  admin 
ranks  that  they  know  privileged  passwords 
and  that  the  company  trusts  them,”  says 
BeyondTrust’s  Nielsen.  “A  lot  of  admins 
are  starting  to  understand,  but  there’s  a  lot 
of  pushback  from  the  technical  community: 
‘I’ve  known  the  password  for  10  years  and 
never  misused  it.’” 

Both  IT  and  the  business  units  they 
support  have  to  be  brought  into  the  discus¬ 
sion  from  the  beginning.  The  assumption 
that  all  the  people  who  have  unfettered  and 
unlimited  administrative  access  need  it  for 
the  sake  of  the  business  must  be  dispelled. 
You  are  up  against  longtime  practices,  con¬ 
cern  over  turf,  and  the  fear  that  business 
will  be  impeded  and  key  applications  bro¬ 
ken  if  privileged  users  and  accounts  are 
tightly  controlled. 

This  will  require  you  to  explain  the 
security  and  operational  issues  posed  by 
poor  privilege  control,  point  out  the  appli¬ 
cable  regulatory  requirements,  and  dem¬ 
onstrate  that  the  processes  and  technology 
will  make  IT  and  the  business  function 
more  smoothly.  Above  all,  you’ll  need  sup¬ 
port  from  management. 

“For  us,  one  of  the  key  items  was  mak¬ 
ing  sure  that  what  we  were  working  on, 
from  technical  point  of  view,  was  aligned 
with  and  supported  in  terms  of  funding 
and  priority  with  senior  managers,”  says 
the  manufacturing  company  security  lead. 
“You  have  to  have  enough  of  a  clear  business 
case,  based  on  risk  assessment,  to  get  clear 
support  from  the  executives  who  control 
the  purse  strings.”  ■ 

Neil  Roiter  is  a  freelance  writer  based  in  Mas¬ 
sachusetts.  Send  feedback  to  Derek  Slater  at 
dslater@cxo.com. 
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Dunkin’  Brands  CSO  John  Sullivan  reworks 
security  to  focus  on  franchise  profitability 

ByJoanGoo<  l«  life! 


IT  WAS  AN  INDUSTRY  CONFERENCE 

that  sparked  something  inside  Jack  Sul¬ 
livan,  director  of  Corporate  Security  and 
Loss  Prevention  for  Canton,  Mass. -based 
Dunkin’  Brands.  At  a  security  conference  in 
Boston  several  years  ago,  Sullivan  says  the 
speakers  on  the  agenda  were  largely  from 
Fortune  100  companies.  He  was  expecting 
the  usual  presentations,  mostly  advocat¬ 
ing  guards  and  gates.  Instead,  what  he  saw 
was  business  leaders  with  security  and 
investigations  backgrounds  talking  about 
how  they  use  their  expertise  to  drive  their 
businesses. 

“For  example,  instead  of  a  tired  presen¬ 
tation  about  how  to  conduct  a  background 
investigation,  they  spoke  about  the  economic 
benefit  of  hiring  the  best  people  because  of 
their  thorough  background-check  proce¬ 
dure,”  he  recalled.  “They  demonstrated 
the  ROI  of  having  a  vigorous  background- 


Keeping  a  close  eye  on  cash  registers  can  help 
with  training  as  well  as  loss  prevention  at  the 
point  of  sale. 

investigations  program  and  coached  us 
on  how  we  should  position  our  argument 
to  executives  to  justify  an  enhanced  back¬ 
ground-check  program.  Once  I  saw  how 
these  leaders  approached  their  roles,  I  com¬ 
pletely  reimagined  how  I  looked  at  what  I 


could  do  for  my  organization.” 

Reimagining  and  rebuilding  the  secu¬ 
rity  program  at  Dunkin’  Brands,  which 
owns  Dunkin’  Donuts  and  Baskin-Rob- 
bins— chains  of  coffee  shops  and  ice  cream 
stores— and  has  13,000  stores  in  31  coun¬ 
tries  worldwide,  was  Sullivan’s  vision  for 
the  next  several  years.  What  was  initially 
a  three-person  retail-loss-prevention  and 
royalty-assurance  department  is  now  a 
30-plus-person  department  that  owns 
global  corporate  security,  loss  prevention, 
due  diligence,  business  continuity,  disaster 
recovery,  travel  security  and  a  host  of  other 
duties.  Sullivan’s  mission  from  the  start 
has  been  to  move  from  being  perceived 
as  the  department  that  always  says  “no” 
to  an  enterprise  risk-management  model 
that  is  fully  integrated  in  all  facets  of  the 
business. 

“Security  departments  have  long  been 


26  www.csoonline.com  November  2010 


Photo  left  by  Carl  Spackler;  right  by  Tim  Gray 


I  try  to  encourage  my  team 
to  think  of  themselves  * 
as  business  people  with 
security  and  investigations 
backgrounds.  We  need 
to  have  business  skills 
similar  to  those  any  other 
corporate  employee  is 
expected  to  have.” 

JOHN  SULLIVAN,  DIRECTOR  OF 
CORPORATE  SECURITY,  DUNKIN’  BRANDS 
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thought  of  as  a  place  where  ideas  go  to  die,”  notes  Sullivan, 
who  has  a  masters  degree  in  government  from  Harvard  Uni¬ 
versity  and  who  earned  a  criminal  justice  degree  at  Curry 
College. 

“I  try  to  encourage  my  team  to  think  of  themselves  as  busi¬ 
ness  people  with  security  and  investigations  backgrounds 
rather  than  as  security  and  investigative  professionals  that 
happen  to  be  working  in  a  business.  We  need  to  have  busi¬ 
ness  skills  similar  to  those  any  other  corporate  employee  is 
expected  to  have.” 

But  it  was  a  perception  that  was  going  to  have  to  change 
not  only  within  the  security  department,  but  throughout  the 
Dunkin’  Brands  organization. 

“In  a  meeting  a  while  back,  our  CEO  listed  the  depart¬ 
ments  that  would  have  the  biggest  roles  in  improving  sales 
in  our  restaurants  in  the  coming  year,”  he  says.  “Our  depart¬ 
ment  was  not  mentioned  as  we  were  focused  on  policy 


Dunkin’  Donuts  operates  in  31  countries,  including  South  Korea 
(above). 

enforcement  that  did  not  add  material  economic  value  to  our 
franchisees  or  the  enterprise.  I  was  determined  to  make  my 
team  as  valuable  to  the  economic  success  of  the  business  as 
any  other  business  unit.” 

From  Deterrence  to  Making  Dough 

One  of  his  first  focus  points  was  helping  Dunkin’  Brands 
franchisees,  where  turnover  can  be  as  high  as  200  percent 
annually,  identify  employee  theft,  which  can  total  millions  in 
loss  each  year.  Until  Sullivan  got  involved,  franchisees  were 
left  to  their  own  devices  when  it  came  to  loss  prevention.  But 
Sullivan  saw  an  opportunity  to  boost  profits  for  franchisees 
and  the  company. 

“Five  years  ago,  if  I  thought  we  needed  new  CCTV  tech¬ 


nology  in  our  restaurants,  I  would  have  given  our  executives 
and  our  franchisees  an  elevator  speech  on  the  deterrence 
value  of  the  cameras.  My  viewpoint  would  have  been  as  the 
head  of  security  rather  than  a  business  executive,”  says  Sul¬ 
livan,  who  was  director  of  security  for  the  Joslin  Diabetes 
Center  in  Boston  before  coming  to  Dunkin’  Brands. 

“Today,  I  would  approach  the  executives  and  our  franchi¬ 
sees  with  a  business  case  focused  around  the  percentage  of 
increase  to  the  top  line  the  CCTVs  will  provide,  along  with 
a  defendable  ROI.  Because  we  have  fully  integrated  security 
into  the  business  strategy,  this  approach  positions  my  depart¬ 
ment  as  a  business  driver  and  a  success  enabler,  not  just  the 
department  that  enforces  policy.” 

Sullivan  is  no  stranger  to  fraud  investigation.  He  was  at 
one  time  a  special  agent  with  the  Department  of  Health  and 
Human  Services  Office  of  Inspector  General  and  the  chief 
investigator  of  the  Commonwealth  of  Massachusetts  Health 
Care  Fraud  Unit.  So  fraud  was  where  he  first  searched  for 
proof  of  how  security  can  drive  change  and  profit. 

Sullivan  and  his  team  at  Dunkin’  Brands  decided  to  adopt 
a  strategy  that  involved  integrating  video  and  point-of-sale 
data,  and  using  exception- reporting  software  to  zero  in  on 
suspicious  transactions.  In  a  typical  POS  theft  scheme,  the 
offending  employee  will  underring  a  sale,  manipulating  the 
cash  register  to  expect  a  smaller  amount  than  the  customer 
is  charged,  then  pocket  the  difference. 

Sullivan  implemented  a  third-party  data-investigation 
service  that  can  query  Dunkin’  Brands  point-of-sale  data¬ 
base  in  search  of  suspicious  transactions,  remotely  access  the 
corresponding  video  for  confirmation  and  report  incidents 
of  employee  fraud  to  franchisees.  They  zeroed  in  on  one  par¬ 
ticularly  problematic  location  at  the  outset. 

“Each  transaction  from  the  system  flows  into  a  database 
of  sales-transaction  information.  My  team  analyzes  the  data 
and  then  informs  the  franchisee  of  our  belief  that  theft  is 
occurring.  The  franchisee  then  reviews  his  own  surveillance 
video  to  confirm  our  suspicions.” 

The  results  were  excellent.  By  analyzing  suspicious 
transactions,  the  Dunkin’  Brands’  corporate  loss-prevention 
staff  discovered  that  several  employees  were  defrauding 
the  franchisee  by  ringing  up  one-cent  sales  and  keeping  the 
money  the  customers  gave  them.  Sales  went  up  30  percent  at 
the  store  as  soon  the  offending  employees  were  terminated, 
according  to  Sullivan. 

Corporate  Goals  Guide  Security’s  Priorities 

These  days,  Sullivan  says  his  basic  philosophy  is  to  concen¬ 
trate  on  the  strategic  goals  of  the  business  and  mold  the  secu¬ 
rity  program  to  enable  those  goals.  His  team  includes  four 
direct  reports:  a  senior  manager  of  investigations,  a  senior 
manager  of  analysis,  a  manager  of  physical  security,  and 
an  employee  protection  lead.  Each  manager  runs  a  team  of 
between  two  and  10  people,  says  Sullivan.  All  are  encouraged 
to  use  their  investigative  or  security  disciplines  to  enhance 
the  larger  business  rather  than  trying  to  fit  business  objec¬ 
tives  into  existing  security  strategies.  He  says  he  lets  the  cor- 
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porate  strategy  inform  the  goals  he  sets  for  the  department 
and  focuses  on  adding  value  rather  than  rigidly  enforcing 
policy. 

“At  the  start  of  each  year,  I  send  my  personal  goals  to  my 
team,”  explains  Sullivan.  “These  are  the  same  goals  that  all 
employees  have  to  develop  and  review  with  their  supervi¬ 
sors  each  year.  All  of  my  goals  revolve  around  my  basic  phi¬ 
losophy  of  using  enterprise  risk-management  techniques  to 
attain  the  goals  that  the  organization  has  set  in  its  annual 
strategy  sessions.  I  coach  my  team  that  their  personal  goals 
for  the  year  should  be  based  on  how  they  can  use  their  secu¬ 
rity  and  investigative  backgrounds  to  drive  economic  impact 
to  our  organization.” 

Employees  are  held  accountable  to  these  goals  as  a  way  of 
continuing  the  cultivation  of  this  way  of  thinking,  says  Sul¬ 
livan.  The  topics  discussed  at  team  meetings  and  regular  con¬ 
ference  calls  all  flow  from  the  basic  philosophy  that  corporate 
strategy  drives  their  work.  It  is  a  constant  effort  to  maintain 
and  develop  this  mind-set,  he  says,  but  it  has  paid  off  in  many 
ways  throughout  the  organization. 

“At  the  corporate  level,  we  have  also  made  it  easier  for  our 
executives  to  travel  abroad  in  emerging  markets.  Whereas  in 
the  past,  we  might  have  tried  to  discourage  the  travel,  we  have 
now  adopted  a  business -first  mind- set  in  which  we  realize 
that  the  company  must  explore  emerging  markets  in  order  to 
stay  competitive.  Today,  when  an  executive  wishes  to  travel  to 
a  new  market  area,  the  answer  is,  ‘Here  is  how  we  can  support 
your  efforts.’  We  use  the  latest  threat  analysis,  close  protec¬ 
tion,  active  monitoring,  check-in  procedures  and  emergency 
evacuation  plans  to  enable  business  objectives.” 

Sullivan  also  created  a  new  business-continuity  program 
for  the  company,  an  effort,  he  says,  that  emphasizes  the  finan¬ 
cial  impact  of  a  possible  disaster.  The  plan  includes  the  results 
of  a  business-impact  analysis  he  conducted  to  determine 
which  departments  need  to  get  back  to  work  first  and  which 
can  be  delayed.  The  process  required  sound  business  acu¬ 
men  and  input  from  many  stakeholders  in  the  organization. 

“Developing  a  business-continuity  program  provides  a 
great  opportunity  for  security  executives  to  be  recognized  as 
a  business  leader.  Don’t  fall  into  the  old  line  of  thinking  that 
your  role  begins  and  ends  with  providing  physical  security  in 
a  disaster.  Your  role  is  to  define  a  strategy  on  how  to  get  your 
organization  earning  revenue  once  again  by  getting  individ¬ 
ual  departments  back  to  work  after  a  disaster.” 

In  addition  to  enabling  the  business  and  prepping  for 
business  continuity  and  disaster  recovery,  Sullivan  says  his 
efforts  also  include  streamlining  operations  within  the  secu¬ 
rity  department. 

“Every  morning  I  review  our  Security  and  LP  dashboards 
that  detail  our  metrics  from  the  prior  day,  week  and  month. 
These  are  a  mix  of  custom-built  dashboards  and  spread¬ 
sheets  that  we  input  our  data  to  each  day.  I  watch  for  trends  in 
either  direction  and  meet  with  my  senior  managers  to  tweak 
our  process  to  improve  efficiencies  if  we  can.  I  also  review 
sales  reports  for  both  of  our  brands  so  I  can  keep  an  eye  on 
our  business.  Those  reports  keep  me  aware  of  our  results 


on  a  daily  basis  and  give  me  benchmarks  that  we  can  use  to 
calibrate  where  we  devote  our  resources.  By  looking  at  these 
reports  daily,  we  can  make  changes  in  the  moment  before  any 
downward  trends  can  get  a  foothold.” 

Coffee  Talk  Leads  to  New  Concepts 

Sullivan  says  he  views  Dunkin’  Brands’  internal  corporate 
partners  and  franchisees  as  customers  and  tries  to  speak 
with  as  many  of  them  as  possible  on  a  daily  basis  with  infor¬ 
mal  visits  and  chats. 

“I  can  almost  always  walk  away  with  another  idea  on  how 
we  can  better  serve  the  business.  It’s  the  best  way  to  learn  how 
your  programs  are  impacting  people.  It’s  easy  to  stay  behind 
a  desk  all  day  trying  to  manage  a  P&L  or  to  keep  up  with 
e-mail,  but  I  make  it  a  point  to  get  up  and  walk  through  other 
departments  to  be  seen  and  to  informally  solicit  feedback.” 

Throughout  his  week,  he  seeks  out  opportunities  for 
informal  chats  to  get  feedback  and  ideas,  and  also  to  educate 
others  in  the  company  on  what  his  department  does. 

“I  recently  shared  a  coffee  break  with  our  head  pastry 
chef,”  he  says.  “Our  paths  have  never  crossed  before,  but  I 
thought  he’d  be  interesting  to  speak  to.  Once  he  found  out 
what  I  did  for  the  company,  he  expressed  frustration  about 
ice-cream-cake  theft.  I  told  the  chef  that  my  department  actu¬ 
ally  has  a  number  of  people  working  on  that  issue.  He  was 
stunned  and  excited  that  his  culinary  work  was  being  well 
protected.  You  can’t  assume  that  everyone  in  your  organiza¬ 
tion  understands  what  you  do.” 

Sweet  Success 

Based  on  the  feedback  he  is  getting  from  other  departments, 
Sullivan  says  he  believes  his  efforts  are  a  success.  Perhaps  the 
best  compliment  of  all,  he  says,  is  the  attention  he  now  gets 
from  the  C  suite. 

“We  are  now  at  the  table  for  every  decision  as  it  pertains 
to  risk  mitigation  globally.  One  of  the  best  measures  of  our 
value  is  that  C-suite  executives  now  engage,  asking  me  what 
my  team  can  do  to  solve  a  particular  business  challenge.” 

Sullivan  sees  integration  into  business  strategy  as  his  ulti¬ 
mate  goal,  and  he  thinks  his  department  is  now  there.  Case  in 
point:  Recently,  Sullivan  spoke  with  a  new  hire  who  had  been 
brought  on  to  head  one  of  the  company’s  brands.  He  met  him 
on  his  way  out  of  a  board  meeting  and  the  new  hire  informed 
him  he  had  big  plans  for  the  future,  plans  that  would  include 
Sullivan’s  security  team. 

“He  told  me  that,  based  on  what  he  was  hearing  about 
my  department’s  performance,  he  had  just  told  the  board  of 
directors  that  the  security  and  loss -prevention  department 
would  be  a  key  piece  of  his  plan  for  his  brand’s  success  in  the 
coming  years.  He  told  me  that  we  would  be  [joined]  at  the 
hip  as  he  tried  to  lead  this  brand.  Thinking  like  that  is  exactly 
what  I  have  been  striving  for  as  I  try  to  get  business  leaders  to 
fully  integrate  security  departments  into  the  overall  strategic 
vision  for  their  companies.”  ■ 


E-mail  Senior  Editor  Joan  Goodchild  at  jgoodchild@cxo.com. 
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How  to  Keep 


On 

Seven  common  reasons  for  failure, 
and  the  keys  to  succeeding  instead 

By  Dan  Lohrmann 


OU’VE  PROBABLY  HEARD 
the  phrase,  “Failure  is  the  key 
to  success.”  But  are  security 
professionals  really  learning 
from  their  mistakes?  As  iden¬ 
tity  theft  and  online  risks  keep 
growing,  is  our  industry  rising 
to  the  challenge  or  repeating  the  miscues  of  the  past? 
While  security  technology  is  improving,  the  bad  guys 
also  have  access  to  better  tools.  So  are  the  good  guys 
working  smarter? 

Conventional  wisdom  says  we  need  more  staff 
training  and  technical  security  certifications.  Oth¬ 
ers  say  higher  salaries,  a  better  understanding  of 
the  bad  guys,  more  executive  leadership  training  or 
more  top-level  executive  buy-in  are  needed.  While  all 
of  these  help,  I’ve  seen  security  staffs  with  all  of  the 
above  fail. 

As  I’ve  traveled  the  world,  I’ve  identified  some 
common  traps  that  cause  security  pros  to  fail.  What 
works  and  what  doesn’t  in  achieving  the  best  security 
results?  If  you  call  yourself  a  security  professional, 
here  are  seven  lessons  you  need  to  learn. 


Problem  #h  Security  Is 
Thought  of  as  a  Disabler 

Security  professionals  are  often  viewed  as  the  party 
poopers.  This  threatens  the  credibility  of  every 
security  consultant.  Are  you  bringing  problems  or 
offering  solutions?  Are  you  viewed  negatively  by  the 
business? 

Take  cloud  computing,  for  example.  The  technol¬ 
ogy  world  is  rushing  into  the  cloud,  but  while  thou¬ 
sands  of  positive  articles  are  being  written  about 
the  ROI  and  transformational  aspects  of  new  cloud 
architectures,  the  security  world  is  busy  printing 
articles  about  why  the  cloud  is  a  bad  idea. 

Key  #1:  Become  a  Facilitator.  So  what  can  be 
done?  Stop  saying  “no”  to  your  customers!  Offer 
secure  solutions.  Be  an  enabler.  Tell  them  how  you 
will  ensure  that  their  project  is  delivered  on  time,  on 
budget  and  with  the  right  level  of  security.  Ask  your¬ 
self  whether  the  business  sees  value  or  roadblocks  in 
your  approach. 

Back  in  2004,  when  I  was  Michigan’s  CISO,  I  was 
in  the  “no  wireless”  camp.  I  quoted  many  experts 
from  the  NSA  and  other  three-letter  agencies  who 
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said  that  wireless  networks  simply  could 
not  be  protected.  My  boss  at  the  time  was 
Teri  Takai,  who’s  now  California’s  CIO. 
She  challenged  me  to  deploy  secure  wire¬ 
less,  following  examples  from  several  com¬ 
panies.  Teri’s  advice  made  me  rethink  my 
business  approach.  Over  time,  I  became 
known  as  an  enabler  of  new  technology, 
and  Michigan  won  awards  for  our  secure 
wireless  networks. 

Problem  #2:  Security  Offers 
Only  One  Solution 

A  second  common  mistake  that  security 
professionals  make  is  to  take  a  one-size-fits- 
all  approach  to  cybersecurity.  We  see  things 
as  black  and  white— for  example,  either  it’s 
encrypted  or  it  isn’t. 

The  common  perception  is  that  enter¬ 
prise  architecture  teams  come  up  with  a 
great  design  that  the  programmers,  net¬ 
work  guys  and  everyone  else  agrees  to, 
only  to  have  security  come  in  and  offer  a 
“solution”  that  totally  changes  the  archi¬ 
tecture.  They  want  to  add  firewalls,  zones, 
restrictions,  new  black  boxes  and  more— 
it’s  so  much  that  the  cost  increases  keep  the 


are  made  clear  before  agreeing  to  deploy  a 
“bronze”  approach. 

You  might  even  have  to  bring  in  an  out¬ 
side  expert  to  brief  everyone.  If  you  have  a 
bad  relationship  with  the  business  people, 
consider  allowing  them  to  pick  the  expert— 
but  make  sure  the  person  has  credibility  in 
the  area  being  discussed. 

Problem  #3:  Not  Enough 
Humble  Pie 

No  doubt,  customers  across  the  globe  would 
prefer  to  work  with  someone  who  has  a 
positive,  friendly,  humble,  patient  attitude. 
Unfortunately,  this  description  doesn’t 
fit  many  security  professionals  (except 
when  they  are  talking  to  other  security 
professionals).  Rather,  we  tend  to  bypass 
processes  and  demand  urgent  action  for 
the-sky-is-falling-level  priorities. 

We  preach  against  fear,  uncertainty 
and  doubt  (FUD)— but  we  don’t  practice 
what  we  preach.  Why?  Because  (regularly 
updated)  FUD  usually  works.  Security  staff 
use  legal  compliance,  dark-side  hackers, 
malware  problems,  Third  World  threats 
and  identity  theft  as  trump  cards.  Staff  can 


collaboration  and  following  established 
project  life-cycle  processes  that  build  in 
security.  Declare  an  emergency  only  rarely, 
or  others  will  think  you  are  crying  wolf. 
Seek  to  be  a  respected  team  player.  Treat 
others  as  you  would  have  them  treat  you. 
One  tip:  Join  the  office  softball  team  or  take 
part  in  some  other  fun  company  activity. 

Problem  *4:  Believing  the 
Customer  Is  Clueless 

So,  here  you  are  with  that  annoying  client. 
You’ve  thought  it  through  and  concluded 
that  the  business  team  doesn’t  understand 
computer  security.  They  don’t  realize  the 
risks  they  are  taking.  They  just  want  to 
check  the  box  quickly  and  move  on.  They 
won’t  pay  for  the  controls,  and  you’re  being 
forced  to  try  to  convince  the  auditors  that 
you’re  in  compliance. 

Worse  than  that,  you’ve  now  concluded 
that  the  business  team  will  never  get  it. 
You’ve  emotionally  checked  out.  This  has 
led  to  an  unspoken  us-versus-them  mental¬ 
ity  at  project  meetings.  Problem  is,  they’ve 
got  the  money,  influence  and  power  to  make 
things  happen. 


‘The  customer  is  (usually)  not 
clueless— so  figure  out  1 

that  he  or  she  does. 


hi 


project  from  moving  forward.  While  the 
security  staff  may  view  providing  this  kind 
of  answer  as  a  can-do  approach,  others  see 
it  as  creating  impediments. 

Key  #2:  Offer  ‘Gold,  Silver  and  Bronze’ 
Options.  Try  to  offer  at  least  three  alterna¬ 
tives.  Look  for  other  solutions  from  Gartner, 
Forrester,  tech  magazines  and  colleagues 
at  other  companies.  Check  with  industry 
associations,  former  coworkers  and  outside 
experts  who  can  help  come  up  with  a  range 
of  solutions.  Help  the  business  understand 
the  risks  associated  with  each  option,  then 
let  its  members  make  the  final  selection. 

One  warning:  Watch  out  for  people  who 
always  pick  the  cheapest  answer.  Don’t 
offer  alternatives  that  won’t  work  or  that 
you  can’t  live  with.  If  the  mood  in  the  room 
is  totally  low-cost,  make  sure  that  the  risks 


act  as  if  these  challenges  are  the  only  prob¬ 
lems  truly  worth  fixing.  Bottom  line,  we  for¬ 
get  our  place  and  the  reason  for  the  security 
team’s  existence. 

Key  #3:  Display  Genuine  Humility  with 
Professional  Excellence.  The  old  adage 
“Pride  comes  before  a  fall”  needs  to  be  at 
the  forefront  of  security  professionals’ 
minds.  The  bad  guys  are  always  getting 
better.  They  are  working  harder  than  ever 
to  defeat  whatever  you  are  doing  to  pro¬ 
tect  your  enterprise.  This  knowledge  alone 
will  change  your  perspective  on  your  job 
and  on  when  you  are  truly  done.  What 
worked  today  may  not  work  tomorrow.  So 
be  careful  about  the  promises  you  make  to 
others  regarding  the  protections  you  are 
deploying. 

Goals  in  this  area  should  include  good 


Key  #4:  improve  Customer  Relations  by 
Separating  the  People  from  the  Security. 

One  industry  expert  who  has  successfully 
completed  dozens  of  major  integration 
efforts  told  me  this:  “True,  we  always  need 
to  overcome  people,  process  and  technol¬ 
ogy  issues,  but  they  are  not  even  close  to 
being  equal  in  difficulty.  Over  90  percent  of 
the  problems  are  really  people  issues.” 

For  starters,  the  business  is  made  up  of 
people.  These  people  have  families,  play  golf 
(or  another  game)  and  cheer  for  local  sports 
teams.  Remembering  this  will  help  you 
resist  the  urge  to  demonize  them  or  write 
them  off.  More  than  that,  it  will  help  you 
separate  the  tough  issue  you’re  addressing 
from  the  person  you  disagree  with.  Remem¬ 
ber  that  the  relationship  will  usually  last 
longer  than  the  current  challenge. 
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Get  to  know  the  business,  one  person  at 
a  time.  Build  trust.  If  you  listen  to  your  cus¬ 
tomers  over  lunch,  you  will  naturally  build 
relationships  that  outlive  the  bad  things 
that  happen.  The  customer  is  (usually)  not 
clueless— so  figure  out  want  you  don’t  know 
that  he  or  she  does. 

Problem  5:  Personal 
Cyber  Ethics:  Are  You 
An  Insider  Threat? 

Many  security  pros  see  themselves  as 
white-hat  hackers  who  are  exempt  from 
the  policies  everyone  else  must  follow.  Does 
this  quote  from  an  anonymous  hacker  hit 
home? 

“Cyber  ethics?  Hello!  Most  hackers  I 
know  think  that  phrase  is  an  oxymoron. 
Rules  are  for  kids  and  other  people  we  need 
to  keep  in  a  box.  Policies?  Are  you  kidding 
me?  Those  rules  don’t  apply  to  us....  This  is 
war,  baby.  Cyberwar  never  sleeps.  All’s  fair 
in  love  and  war.” 

This  perspective  puts  you  on  a  slippery 
slope.  The  reality  is  that  the  smarter  you 
are,  the  more  you  advance  as  a  cybersecu¬ 
rity  expert,  the  farther  you  go  as  a  hacker, 
the  greater  your  temptation  becomes.  As 
you  learn  what  the  bad  guys  do  and  how 
they  do  it,  the  new  ways  to  avoid  detection, 
the  secrets  of  the  trade  and  the  best  ways  to 
build  and  get  around  defenses,  you  will  face 
a  series  of  crossroads.  Your  ethics,  values 
and  beliefs  will  inevitably  be  tested.  This  is 
similar  to  a  cop  who  arrests  drug  lords  and 
finds  a  stash  of  cocaine  or  cash.  Should  he 
or  she  take  a  bit  while  no  one  is  looking? 

Key  #5:  Seek  Accountability,  Find  a  Good 
Mentor  and  Practice  Virtual  Integrity.  We 
claim  to  be  focused  on  risk  management, 
and  yet  I  never  cease  to  be  amazed  at  how 
security  pros  underestimate  the  online 
risks  they  are  taking  in  their  personal  and 
professional  lives.  They  risk  their  jobs,  rep¬ 
utations,  marriages,  families— they’re  even 
at  risk  for  jail  time.  Bottom  line,  they  think 
they  will  never  be  caught  doing  whatever 
they’re  doing  in  cyberspace. 

Here  are  a  tips  to  avoid  falling  into  this 
trap: 

l)  Seek  advice  from  respected  colleagues 
regarding  practical  ethical  behavior.  Find 
one  or  more  accountability  partners  who 
share  your  professional  values.  Remember 
that  accountability  is  for  winners,  not  los¬ 
ers.  The  best  musicians,  artists  and  athletes 


are  accountable  to  coaches.  Everyone  who 
strives  to  improve  needs  accountability. 

2)  Find  a  trusted  industry  mentor  whom 
you  admire.  Make  yourself  accountable  to 
this  person  regarding  the  direction  of  your 
professional  career  decisions. 

3)  Practice  the  seven  habits  of  online 
integrity  found  at  www.govtech.com/pcio/ 
Seven-Habits-of-Online-Integrity.html.  After 
identifying  your  core  beliefs  and  ethical 
boundaries,  adhere  to  your  values. 

Problem  6:  Career  Burnout 

Most  security  professionals  experience 
symptoms  of  burnout  at  some  stage  in 
their  professional  careers.  In  one  poll  last 
year,  over  half  of  the  security  professionals 
surveyed  said  they  were  unhappy  in  their 
jobs.  According  to  an  online  help  guide,  you 
might  be  heading  toward  burnout  if: 

■  Every  day  is  a  bad  day. 

■  Caring  about  your  work  or  home  life 
seems  like  a  total  waste  of  energy. 

■  You’re  exhausted  all  the  time. 

■  The  majority  of  your  day  is  spent  on 
tasks  you  find  either  mind-numbingly 
dull  or  overwhelming. 

■  You  feel  like  nothing  you  do  makes  a 
difference  or  is  appreciated. 

Key  #6:  Perseverance  and  Work-Life 
Balance.  We  all  need  to  recognize  that 
stress  and  potentially  even  burnout  come 
with  the  territory.  Prepare  for  stress  like 
you  anticipate  weather  changes.  Look  for 
the  warning  signs.  Being  keenly  aware  of 
the  burnout  possibility  is  a  first  step. 

Second,  take  some  time  to  step  back  and 
analyze  your  situation  at  least  once  a  year. 
Schedule  some  time  to  get  away,  and  try  to 
disconnect  for  at  least  part  of  the  break.  If 
you  do  check  in  with  work  during  vacation, 
put  barriers  around  your  time.  Talk  about 
how  things  are  going  at  work  with  those 
you  trust  but  who  have  a  different  perspec¬ 
tive.  Get  professional  help  from  a  doctor,  if 
needed. 

Third,  recognize  that  your  career  is 
more  like  a  marathon  than  a  sprint.  I  like 
this  quote  from  preacher  Charles  R.  Swin- 
doll:  “You’re  through.  Finished.  Burned 
out.  Used  up.  You’ve  been  replaced,  forgot¬ 
ten.  That’s  a  lie.”  There  is  always  hope. 

Problem  7:  Career 
Perspective  Stuck  in  a  Box 

We  all  need  to  learn  the  power  of  the  Pareto 


principle,  which  states  that  80  percent  of  the 
effect  of  our  work  comes  from  20  percent  of 
the  causes.  In  John  C.  Maxwell’s  book  Lead¬ 
ership  101:  What  Every  Leader  Needs  to  Know, 
he  describes  the  power  of  the  Pareto  prin¬ 
ciple  at  work.  Here  are  a  few  examples: 

■  20  percent  of  your  time  produces 

8o  percent  of  your  results. 

■  20  percent  of  the  people  take  up 

8o  percent  of  your  time. 

■  20  percent  of  your  work  gives 

8o  percent  of  your  job  satisfaction. 

■  20  percent  of  the  people  will  make 

8o  percent  of  the  decisions. 

■  20  percent  of  the  presentation 

produces  8o  percent  of  the  impact. 

Maxwell  goes  on  to  point  out  that  we 

need  to  develop  skills  in  four  areas  to  be 
successful  and  maximize  our  effectiveness: 
attitude,  relationships,  equipping  and  lead¬ 
ership.  But  many  security  pros  have  given 
up  trying  to  on  improve  at  all,  or  only  work 
on  improving  technical  skills. 

Key  7:  Lead  by  Moving  Beyond  Your  Posi¬ 
tion  Description.  So,  how  can  we  avoid  this 
career  dead  end?  What  is  outside-the-box 
thinking  in  a  security  context?  How  can  all 
of  us  gain  a  wider  perspective  to  help  our 
careers  and  our  business  clients? 

Here  are  a  few  pragmatic  strategies: 

1)  First  and  foremost,  understand  that 
the  box  placed  around  your  position  is  a 
good  thing  that  must  be  respected.  Always 
complete  your  stated  duties,  or  you  may  be 
labeled  as  lazy  and  not  respected. 

2)  Volunteer  for  key  committees  or 
important  ad  hoc  teams.  Strive  to  lead, 
deliver  and  exceed  expectations  in  these 
roles.  Start  a  blog  or  wiki.  Don’t  hoard 
knowledge;  freely  give  it  away. 

3)  Generate  good  ideas.  Look  for  orga¬ 
nizational  needs  that  aren’t  being  met.  Dis¬ 
cuss  these  problems  and  potential  low-cost 
solutions  with  your  management.  Think 
partnerships— beyond  your  own  organiza¬ 
tion.  What  industrywide  opportunities  can 
you  take  advantage  of? 

In  conclusion,  my  high  school  football 
coach  was  the  first  to  convince  me  that  “you 
can’t  keep  doing  the  same  thing  and  expect 
a  different  result.”  Let’s  apply  that  truth  to 
security.  ■ 


Dan  Lohrmann  is  CTO  of  Michigan.  For  more 
on  this  topic,  see  http://blogs.csoonline.com 
/blog/dan_lohrmann . 
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[  INDUSTRY  VIEW] 

By  Gregory  Machler 


Security  Questions  for  Big  Clouds 


You’re  a  CIO  or  CSO  of  a  cor¬ 
poration  that  has  yearly  rev¬ 
enues  of  $1  billion  or  more. 
What  are  the  security  con¬ 
cerns  you  need  to  address 
before  you’ll  be  willing  to  deploy  your  IT 
infrastructure  into  the  cloud?  A  few  ques¬ 
tions  you  probably  have  are:  What  belongs 
in  the  cloud?  How  should  sensitive  data  be 
protected?  How  are  encryption  upgrades 
addressed?  How  do  I  limit  access  to  sensi¬ 
tive  data?  And  how  will  critical  systems 
metadata  be  tracked? 

Let’s  assume  that  each  corporation  has 
a  variety  of  firewall  segments  and  corre¬ 
sponding  network  equipment  within  the 
vendor’s  cloud.  Each  segment  will  support 
a  variety  of  applications.  Because  other 
companies  may  be  in  the  same  cloud,  they 
may  share  the  same  firewall  segment  and 
network  components,  the  same  database, 
and  the  same  virtualized  operating  system 
and  storage. 

First,  let’s  look  at  some  realistic  secu¬ 
rity  constraints  your  cloud  vendor  may 
have.  It  may  be  difficult  to  deploy  all  of  your 
corporation’s  infrastructure  in  the  cloud 
because  your  IT  applications  may  not  be 
standardized.  For  example,  one  of  the  cli¬ 
ents  I  worked  for  had  a  mainframe  system 
that  was  integrated  with  a  Web  service.  The 
Web  service  interfaced  with  a  point-of-sale 
(POS)  system  and  communicated  with  the 
mainframe  through  a  proprietary  port 
using  TCP/IP.  The  mainframe  received  and 
stored  sensitive  credit  information.  The  cli¬ 
ent  wanted  to  move  all  of  the  POS  system, 
Web  service  and  TCP/IP  communications 
to  the  cloud,  but  the  mainframe’s  applica¬ 
tion,  proprietary  storage  infrastructure  and 
encryption  techniques  made  it  hard.  The 
mainframe  application  could  potentially  be 


ported  but  would  likely  require  a  difficult 
and  expensive  rewrite.  An  ROI  analysis 
would  be  required  to  see  if  the  benefits  of 
moving  this  piece  to  the  cloud  would  out¬ 
weigh  the  cost  of  rewriting  the  application. 

Access  to  sensitive  data  is  another  con¬ 
cern— in  the  cloud,  SAN  subsystems  stripe 
data  over  many  drives  in  the  storage  array. 
Are  you  comfortable  with  that  setup?  One 
problem  is  that  corruption  in  a  database,  file 
system  or  disk  drive  could  spread  to  other 
applications  that  share  the  data  in  the  same 
subsystem.  So  you  might  want  a  method  to 
isolate  encrypted  data  in  the  database  or  file 
system,  or  on  disk.  This  bounding  will  limit 
the  effects  if  corruption  occurs. 


A  third  question  to  ask  is,  how  is  the 
encryption  algorithm  for  stored  data  going 
to  be  updated?  Encrypted  data  in  various 
databases  and  file  systems  will  need  to  be 
upgraded  as  processor  speeds  increase, 
making  it  easier  to  hack  data.  This  will 
require  unencrypting  the  data  with  the 
older  algorithm  and  then  re -encrypting  it 
with  a  new  one.  This  may  cause  the  newly 
encrypted  data  to  take  up  more  space  in  the 
database  or  file  system,  a  side  effect  that 
also  needs  to  be  monitored. 

You  probably  also  want  very  granular 


access  controls  for  the  application  data  in 
the  cloud,  using  a  Lightweight  Directory 
Access  Protocol  (LDAP)  directory  or  Micro¬ 
soft’s  Active  Directory  software  to  interface 
with  the  database  or  file  system,  or  with  the 
portion  of  the  drives  that  only  a  few  people 
at  your  company  can  access.  Also  look  for  a 
single  cloud-vendor  directory  for  all  its  cli¬ 
ents— partitioned  by  client,  segment,  appli¬ 
cation  or  user— that  states  who  can  access 
which  application  databases,  file  systems 
and  portions  of  drives.  This  locked-down 
access  prevents  unauthorized  users  and 
administrators  from  inappropriately 
accessing  data. 

Lastly,  you  need  a  place  to  keep  segment 
and  application  metadata  so 
you  can  move  the  segments 
and  applications  your  com¬ 
pany  owns  into  or  out  of  the 
cloud.  This  directory  meta¬ 
data  hierarchy  should  have  a 
network  segment  definition 
with  virtual  firewall,  switch, 
router  and  load-balancer 
metadata  for  each  segment. 
The  children  of  the  segment 
parent  would  be  the  metadata 
for  each  application  the  seg¬ 
ment  supports. 

I  recommend  using  LDAP  directories 
or  Active  Directory  to  keep  your  metadata. 
It  gives  you  the  flexibility  to  extract  your 
applications  from  the  cloud  and  enhance 
them  to  stay  competitive.  You  could  also 
remove  segments  and  applications  if 
you  became  dissatisfied  with  your  cloud 
vendor.  ■ 


Gregory  Machler  is  an  independent  consul¬ 
tant  focused  on  IT  and  product  solutions  that 
involve  both  marketing  and  engineering. 


It  may  be  difficult 
to  deploy  all  of  a 

corporation’s  infrastructure 
in  the  cloud  because  your 
IT  applications  may  not 

be  standardized. 
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[  debriefing] 


Social  Distortion 


1.  As  of  October  2010,  how 
many  active  members 
did  Facebook  claim? 

a.  More  than  500  million 

b.  250  million 

c.  160  million 

d.  8  billion 

2.  How  many  applications  are 
active  on  the  Facebook  platform? 

a.  More  than  550,000 

b.  250,000 

c.  160,000 

d.  More  than  there  are  stars  in  the  sky 

3.  How  many  active  members 
does  Twitter  claim? 

a.  More  than  500  million 

b.  250  million 

c.  160  million 

d. 6 

4.  Approximately  how  many  blogs 
are  in  Technorati’s  blog  directory? 

a.  2.48  million  c.  1.24  million 

b.  1.99  million  d.  What’s  a  blog? 


5.  Which  popular  Facebook 
applications  were  blamed  for 
leaking  ID  data  last  month? 

a.  FarmVille  c.  iHeart 

b.  Mafia  Wars  d.  All  of  the  above 

6.  Roughly  what  percentage 
of  respondents  to  a  Symantec 
survey  in  mid-2010  said  their 
organization  has  a  social 
media  security  policy? 

a.  75%  C.  25% 

b.  50%  d.  What’s  a  social  media 

security  policy? 

7.  In  the  same  survey,  what 
percentage  of  respondents 
said  they  block  access  to 
social  media  sites? 

a.  97%  C.  6% 


8.  Which  of  the  following 
tweets  have  resulted  in  the 
tweeter  being  fired? 

a.  “I’m  downtown  eating.  Surrounded  by 

Mormons  and  repressed  sexual  energy.” 

b.  “Sad  to  hear  of  the  passing  of  Sayyed 

Mohammed  Hussein  Fadlallah...  One  of 
Hezbollah’s  giants  I  respect  a  lot." 

c.  “Tues:  Jane  Adams,  star  of  HBO  series 
‘Hung,’  skipped  out  on  a  $13.44  check.  Her 
agent  called  and  payed  the  following  day. 
NO  TIP!!!” 

d.  All  of  the  above. 

9.  What  is  the  most  popular 
social  networking  site  in  Brazil? 

a.  Facebook  c.  Baidu 

b.  Orkut  d.  Friendster 

Bonus  question:  Who  owns  Orkut? 

a.  Microsoft  c.  Facebook 

b.  Google  d.  Rupert  Murdoch 


b.  7% 


d.  5% 
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How’d  You  Do? 


0-3  points:  Antisocial  4-7  points:  Social  Butterfly 
8-10  points:  Power  User 
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Illustration  by  Steven  Trotter 


Keep  hackers  out 


A  Simple  Phone  Call  Provides  Strong, 
Cost  Effective  Two-Factor  Authentication 


Even  if  a  hacker  has  your  password, 
your  account  remains  secure.” 

-The  New  York  Times 


PhoneFactor  authenticates 
user  logins  with  an  automated 
phone  call  ortext  message. 


SCALABLE  HOSTED  SERVICE 


STRONG  OUT-OF-BAND  AUTHENTICATION 


EASIER  &  LESS  EXPENSIVE  THAN  TOKENS 


»  Try  it  for  FREE  at  phonefactor.com/cso 


> PhoneFactor 


BECAUSE  PASSWORDS  JUST  AREN’T  ENOUGH 


www.phonefactor.com  |  1.877.NoToken 


can  you  control  who  has 
access  to  what? 


Finding  ways  to  easily  and  securely  control  your  IT  environments  —  physical,  virtual  and  cloud  — 
while  also  addressing  your  compliance  requirements  is  crucial  to  your  business  success. 

You  can  get  that  level  of  control  from  CA  Technologies  Content-Aware  Identity  and  Access 
Management.  It  goes  further  than  traditional  security  solutions  by  giving  you  control  all  the  way 
down  to  the  data  level. 

It  gives  you  the  ability  to  take  control  of  your  users,  their  access  and  their  information  use  so  you  can 
easily  answer  the  question:  “Who  has  access  to  what?” 


Take  control  of  your  IT  security  today.  Start  here:  ca.com/security 
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